{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30048", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-19T14:31:35.234Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-18T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-18T17:06:42.558Z"}, "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability exists in the NotChatbot WebChat widget thru 1.4.4. User-supplied input is not properly sanitized before being stored and rendered in the chat conversation history. This allows an attacker to inject arbitrary JavaScript code which is executed when the chat history is reloaded. The issue is reproducible across multiple independent implementations of the widget, indicating that the vulnerability resides in the product itself rather than in a specific website configuration."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.npmjs.com/package/@developer.notchatbot/webchat"}, {"url": "https://app.unpkg.com/@developer.notchatbot/webchat@1.4.4"}, {"url": "https://gist.github.com/0xN4no/0601f398942a29259d217ea650f694fe"}, {"url": "https://github.com/0xN4no/CVE-2026-30048"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T14:25:57.560725Z", "id": "CVE-2026-30048", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:31:35.234Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30048", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T14:25:57.560725Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:31:23.780Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.npmjs.com/package/@developer.notchatbot/webchat"}, {"url": "https://app.unpkg.com/@developer.notchatbot/webchat@1.4.4"}, {"url": "https://gist.github.com/0xN4no/0601f398942a29259d217ea650f694fe"}, {"url": "https://github.com/0xN4no/CVE-2026-30048"}], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability exists in the NotChatbot WebChat widget thru 1.4.4. User-supplied input is not properly sanitized before being stored and rendered in the chat conversation history. This allows an attacker to inject arbitrary JavaScript code which is executed when the chat history is reloaded. The issue is reproducible across multiple independent implementations of the widget, indicating that the vulnerability resides in the product itself rather than in a specific website configuration."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-18T17:06:42.558Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30048", "state": "PUBLISHED", "dateUpdated": "2026-03-19T14:31:35.234Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-18T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability exists in the NotChatbot WebChat widget thru 1.4.4. User-supplied input is not properly sanitized before being stored and rendered in the chat conversation history. This allows an attacker to inject arbitrary JavaScript code which is executed when the chat history is reloaded. The issue is reproducible across multiple independent implementations of the widget, indicating that the vulnerability resides in the product itself rather than in a specific website configuration."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) almacenado existe en el widget NotChatbot WebChat hasta la versi\u00f3n 1.4.4. La entrada proporcionada por el usuario no se sanitiza correctamente antes de ser almacenada y renderizada en el historial de conversaci\u00f3n del chat. Esto permite a un atacante inyectar c\u00f3digo JavaScript arbitrario que se ejecuta cuando se recarga el historial del chat. El problema es reproducible en m\u00faltiples implementaciones independientes del widget, lo que indica que la vulnerabilidad reside en el producto mismo en lugar de en una configuraci\u00f3n espec\u00edfica del sitio web."}], "id": "CVE-2026-30048", "lastModified": "2026-04-27T19:18:46.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-18T18:16:27.607", "references": [{"source": "cve@mitre.org", "url": "https://app.unpkg.com/@developer.notchatbot/webchat@1.4.4"}, {"source": "cve@mitre.org", "url": "https://gist.github.com/0xN4no/0601f398942a29259d217ea650f694fe"}, {"source": "cve@mitre.org", "url": "https://github.com/0xN4no/CVE-2026-30048"}, {"source": "cve@mitre.org", "url": "https://www.npmjs.com/package/@developer.notchatbot/webchat"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.4]"}}], "enrichment": {"confidence": 85.0, "confidence_source": "inferred", "scores": [{"score": 85.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "webchat", "vendor": "developer.notchatbot"}], "analysis": {"en": {"generated_at": "2026-03-19T16:53:07.236740+00:00", "value": {"mitigation_remediation": ["Check if a newer version of the NotChatbot WebChat widget is available; if so, upgrade.", "If an upgrade cannot be applied immediately, configure the widget to strip or escape user input before it is stored or disable chat history persistence to prevent stored payloads.", "Implement a strong Content Security Policy that disallows inline script execution.", "Monitor the widget for unusual input patterns and review the integration for proper data sanitization."], "summary": {"action": "Check Updates", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw is confined to installations that use the NotChatbot WebChat widget version 1.4.4. Because the issue replicates across multiple independent implementations, it is a product\u2011wide defect rather than a configuration bug. All sites embedding this widget are potentially affected.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw present in the NotChatbot WebChat widget up to and including version 1.4.4. User\u2011supplied text entered in the chat channel is not properly sanitized before it is persisted and later rendered when the conversation history is reloaded, allowing an attacker to inject JavaScript that executes with the privileges of the browser session.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity. The EPSS score is below 1%, suggesting low current exploit probability, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can exploit the flaw by submitting malicious input through the chat interface; the payload is stored and then executed when the chat history is refreshed. The impact is confined to browsers that load the stored content without additional encoding or sanitization. No explicit network exposure or privilege escalation is described in the data."}}}}, "created": "2026-03-19T08:57:04.155336+00:00", "title": "Stored XSS in NotChatbot WebChat widget", "updated": "2026-03-24T10:54:04.510357+00:00", "vendors": ["developer.notchatbot", "developer.notchatbot$PRODUCT$webchat"]}