216.73.217.64

CVE-2026-44706

· Published 26/05/2026 18:16 · Modified 26/05/2026 19:37

Labels: CVE-2026-44706 2026-05-26CVE-2026-44706CWE-89[email protected]

Essential information

Published
26/05/2026 18:16
Modified
26/05/2026 19:37
Author
Creator
CVSS
8.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CVSS metrics

Description

Chatwoot is a customer engagement suite. From 2.2.0 to before 4.11.2, a SQL injection vulnerability exists in the conversation and contact filter APIs. When filtering by a custom attribute of type date or number using the is_greater_than or is_less_than operators, user-supplied values in the values field of the filter payload are interpolated directly into the SQL query without parameterization. Any authenticated user with access to an account can exploit this to execute arbitrary SQL via time-based blind injection. This affects /api/v1/accounts/{account_id}/conversations/filter, /api/v1/accounts/{account_id}/contacts/filter, and /api/v1/accounts/{account_id}/custom_attribute_definitions. This vulnerability is fixed in 4.11.2.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
chatwoot / chatwoot cpe:2.3:a:chatwoot:chatwoot:2.2.0-4.11.1:*:*:*:*:*:*:*

References