Description
A stored cross-site scripting (XSS) vulnerability exists in the NotChatbot WebChat widget thru 1.4.4. User-supplied input is not properly sanitized before being stored and rendered in the chat conversation history. This allows an attacker to inject arbitrary JavaScript code which is executed when the chat history is reloaded. The issue is reproducible across multiple independent implementations of the widget, indicating that the vulnerability resides in the product itself rather than in a specific website configuration.
Published: 2026-03-18
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Check Updates
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw present in the NotChatbot WebChat widget up to and including version 1.4.4. User‑supplied text entered in the chat channel is not properly sanitized before it is persisted and later rendered when the conversation history is reloaded, allowing an attacker to inject JavaScript that executes with the privileges of the browser session.

Affected Systems

The flaw is confined to installations that use the NotChatbot WebChat widget version 1.4.4. Because the issue replicates across multiple independent implementations, it is a product‑wide defect rather than a configuration bug. All sites embedding this widget are potentially affected.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score is below 1%, suggesting low current exploit probability, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by submitting malicious input through the chat interface; the payload is stored and then executed when the chat history is refreshed. The impact is confined to browsers that load the stored content without additional encoding or sanitization. No explicit network exposure or privilege escalation is described in the data.

Generated by OpenCVE AI on March 19, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check if a newer version of the NotChatbot WebChat widget is available; if so, upgrade.
  • If an upgrade cannot be applied immediately, configure the widget to strip or escape user input before it is stored or disable chat history persistence to prevent stored payloads.
  • Implement a strong Content Security Policy that disallows inline script execution.
  • Monitor the widget for unusual input patterns and review the integration for proper data sanitization.

Generated by OpenCVE AI on March 19, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w3vx-52j6-9fjp NotChatbot WebChat has a stored cross-site scripting (XSS) vulnerability
History

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Stored XSS in NotChatbot WebChat widget

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Developer.notchatbot
Developer.notchatbot webchat
Vendors & Products Developer.notchatbot
Developer.notchatbot webchat

Wed, 18 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability exists in the NotChatbot WebChat widget thru 1.4.4. User-supplied input is not properly sanitized before being stored and rendered in the chat conversation history. This allows an attacker to inject arbitrary JavaScript code which is executed when the chat history is reloaded. The issue is reproducible across multiple independent implementations of the widget, indicating that the vulnerability resides in the product itself rather than in a specific website configuration.
References

Subscriptions

Developer.notchatbot Webchat
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-19T14:31:35.234Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30048

cve-icon Vulnrichment

Updated: 2026-03-19T14:31:23.780Z

cve-icon NVD

Status : Deferred

Published: 2026-03-18T18:16:27.607

Modified: 2026-04-27T19:18:46.690

Link: CVE-2026-30048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:04Z

Weaknesses