CVE-2025-50733
BaseFortify
Publication date: 2025-08-22
Last updated on: 2025-08-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextchat | nextchat | 2.16.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) issue in the HTMLPreview component of NextChat's artifacts.tsx file. It allows attackers to execute arbitrary JavaScript code by injecting malicious HTML content into the AI chat interface. The problem arises because user-influenced HTML from AI responses is rendered inside an iframe with 'allow-scripts' sandbox permission but without proper sanitization. Attackers can craft prompts that cause the AI to generate harmful HTML/JavaScript, which executes when a user views the HTML preview.
How can this vulnerability impact me? :
This vulnerability can lead to attackers executing malicious JavaScript in the user's browser context. This can result in exfiltration of sensitive information such as API keys stored in localStorage, unauthorized actions performed on behalf of the user, and theft of session data, potentially compromising user accounts and data security.