CVE-2025-59902
Unknown Unknown - Not Provided
HTML Injection in NICE Chat Enables Phishing via Email Transcripts

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
HTML injection vulnerability in NICE Chat. This vulnerability allows an attacker to inject and render arbitrary HTML content in email transcripts by modifying the 'firstName' and 'lastName' parameters during a chat session. The injected HTML is included in the body of the email sent by the system, which could enable phishing attacks, impersonation, or credential theft.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59902
EUVD
EUVD-2025-206732
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nice nice_chat *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an HTML injection issue in the NICE Chat system. It allows an attacker to inject and render arbitrary HTML content in email transcripts by modifying the 'firstName' and 'lastName' parameters during a chat session. The injected HTML is included in the body of emails sent by the system, which can be exploited to perform phishing attacks, impersonation, or credential theft. [1]

Impact Analysis

The vulnerability can impact you by enabling attackers to inject malicious HTML into email transcripts, which can lead to phishing attacks, impersonation of users or agents, and theft of credentials. This can compromise the security and trustworthiness of communications through the NICE Chat system. [1]

Detection Guidance

This vulnerability can be detected by monitoring chat sessions for unusual or suspicious input in the 'firstName' and 'lastName' parameters that include HTML tags or scripts. Since the vulnerability involves HTML injection in email transcripts, inspecting outgoing emails for unexpected HTML content in these fields can help identify exploitation attempts. Specific commands are not provided in the available resources. [1]

Mitigation Strategies

No official solution or patch has been reported at this time. Immediate mitigation steps include monitoring and filtering input in the 'firstName' and 'lastName' parameters to prevent HTML injection, educating users about phishing risks, and scrutinizing email transcripts for suspicious content. Implementing input validation and sanitization on these parameters is recommended as a temporary measure. [1]

Compliance Impact

The vulnerability allows attackers to inject arbitrary HTML into email transcripts, which can lead to phishing, impersonation, or credential theft. Such security weaknesses can compromise the confidentiality and integrity of personal and sensitive data handled by NICE Chat.

This type of vulnerability may negatively impact compliance with data protection regulations like GDPR and HIPAA, which require organizations to implement appropriate security measures to protect personal and health information from unauthorized access or disclosure.

However, the provided information does not explicitly state the direct effects on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59902. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart