CVE Catalog

CVE-2026-47733

MediumCVSS 4.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

In versions prior to 8.5.0, the ImageElement component in Rocket.Chat renders user-controlled src values without protocol sanitization. This allows for the insertion of a malicious URL with the javascript: protocol, potentially executing arbitrary JavaScript in the user's session.

Risk Assessment

The organization may be exposed to XSS attacks, which could lead to data theft or session hijacking. Users on older browsers are particularly vulnerable.

Recommendation

It is recommended to upgrade Rocket.Chat to version 8.5.0 or later to eliminate this vulnerability. Additionally, conducting a security audit of the application is advisable.

Original NVD description (English source)

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, the ImageElement component in packages/gazzodown renders user-controlled src values directly into <a href> and <img src> attributes without protocol sanitization. Unlike the analogous LinkSpan component — which uses sanitizeUrl to block javascript:, data:, and vbscript: protocols — ImageElement passes the raw URL through unchanged. An authenticated user can post a markdown image with a javascript: URL that, if clicked on an older browser, would execute arbitrary JavaScript in the viewer's session. This vulnerability is fixed in 8.5.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS