CVE-2026-0483 - Vulnerability Details

- Stored Cross-Site Scripting (XSS) vulnerability in LiveHelperChat

Description

Stored Cross-Site Scripting (XSS) vulnerability in the PDF file upload functionality of Live Helper Chat, versions prior to 4.72. An attacker can upload a malicious PDF file containing an XSS payload, which will be executed in the user's context when they download and open the file via the link generated by the application. The vulnerability allows arbitrary JavaScript code to be executed in the user's local context.

Published: 2026-01-28

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the PDF upload feature of LiveHelperChat. An attacker can embed malicious JavaScript into a PDF file and upload it. When a user later downloads and opens the file through the link generated by the application, the script runs within the user's browser context, potentially allowing the attacker to steal session data, deface the page, or perform actions on behalf of the user. The flaw is identified as CWE‑79.

Affected Systems

LiveHelperChat installations using any release prior to version 4.72 are affected. The issue centers on the PDF upload and handling component, and all users who have the ability to upload or download PDFs from the system could be impacted.

Risk and Exploitability

The CVSS base score is 6.9, indicating a moderate severity risk. The EPSS score is below 1 %, suggesting a low likelihood of widespread exploitation at present, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires the attacker to successfully upload a crafted PDF, which typically demands write access to the upload location or the ability to influence users who can upload files. Once the file is served, the stored XSS payload executes exactly in the context of any user who opens the file, providing a client‑side compromise without the need for network exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

LiveHelperChat

unaffected

Version	Status	Constraints
`0`	affected	< 4.72

No data.

No data available yet.

Remediation

Vendor Solution

The vulnerability has been fixed in the 4.72 version.

OpenCVE Recommended Actions

Upgrade LiveHelperChat to version 4.72 or later to remove the flaw
If an upgrade is not immediately possible, disable PDF uploads entirely or restrict upload permissions to trusted administrators only
Implement a strict Content Security Policy that blocks inline script execution and disallows eval, and enable the browser’s built‑in XSS filter to mitigate any residual risk

Generated by OpenCVE AI on April 18, 2026 at 01:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0009.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-vulnerability-livehelperchat

History

Wed, 28 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 28 Jan 2026 12:00:00 +0000

Type	Values Removed	Values Added
Description		Stored Cross-Site Scripting (XSS) vulnerability in the PDF file upload functionality of Live Helper Chat, versions prior to 4.72. An attacker can upload a malicious PDF file containing an XSS payload, which will be executed in the user's context when they download and open the file via the link generated by the application. The vulnerability allows arbitrary JavaScript code to be executed in the user's local context.
Title		Stored Cross-Site Scripting (XSS) vulnerability in LiveHelperChat
First Time appeared		Livehelperchat Livehelperchat livehelperchat
Weaknesses		CWE-79
CPEs		cpe:2.3:a:livehelperchat:livehelperchat::::::::
Vendors & Products		Livehelperchat Livehelperchat livehelperchat
References		https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-vulnerability-livehelperchat
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Livehelperchat Livehelperchat

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2026-01-28T11:43:42.484Z

Updated: 2026-01-28T15:47:13.081Z

Reserved: 2025-12-09T12:06:56.261Z

Link: CVE-2026-0483

Vulnrichment

Updated: 2026-01-28T15:47:05.824Z

NVD

Status : Deferred

Published: 2026-01-28T12:15:52.297

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0483

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object