CVE-2026-0483
Stored XSS in Live Helper Chat PDF Upload Enables Code Execution
Publication date: 2026-01-28
Last updated on: 2026-01-28
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| live_helper_chat | live_helper_chat | to 4.72 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the PDF file upload functionality of Live Helper Chat versions prior to 4.72. An attacker can upload a malicious PDF containing an XSS payload. When a user downloads and opens this PDF via the link generated by the application, the malicious JavaScript code executes in the user's local context.
How can this vulnerability impact me? :
The vulnerability allows an attacker to execute arbitrary JavaScript code in the user's local context when they open a malicious PDF file. This can lead to unauthorized actions performed on behalf of the user, data theft, session hijacking, or other malicious activities depending on the attacker's intent.