CVE Catalog

CVE-2026-43900

Critical
Published: Translated: NVD NIST

Summary

In DeepChat, prior to version 1.0.4-beta.1, a Cross-Site Scripting (XSS) vulnerability exists due to a discrepancy between the backend validation layer and the frontend browser rendering engine. An attacker can exploit this vulnerability to execute arbitrary JavaScript by manipulating SVG elements.

Risk Assessment

The organization may be exposed to XSS attacks, which can lead to user data theft or session hijacking. Exploiting this vulnerability could result in serious security implications for the application.

Recommendation

It is recommended to upgrade to version 1.0.4-beta.1, which fixes this vulnerability. Additionally, conducting a security audit of the application to identify other potential vulnerabilities is advisable.

Original NVD description (English source)

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting (XSS) vulnerability exists due to a discrepancy between the backend validation layer and the frontend browser rendering engine. The SVGSanitizer (src/main/lib/svgSanitizer.ts) restricts script execution by scrubbing javascript: protocols using plain-text regular expressions. However, it fails to account for HTML entity decoding prior to Vue's v-html DOM insertion inside the SvgArtifact.vue component. By feeding an SVG artifact with obfuscated entities (e.g., javascript:alert(1)), an attacker can completely bypass the sanitizer, culminating in arbitrary JavaScript execution when a victim interacts with the rendered SVG Element. This vulnerability is fixed in v1.0.4-beta.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS