CVE-2026-25144
Stored XSS in Talishar Chat Allows Remote Script Execution
Publication date: 2026-02-02
Last updated on: 2026-02-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | talishar | to 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) in the chat system of the fan-made Flesh and Blood project called Talishar. Specifically, the playerID parameter in the SubmitChat.php file is saved without proper sanitization and is executed whenever a user views the current game page, allowing malicious scripts to run.
How can this vulnerability impact me? :
The vulnerability can allow attackers to inject malicious scripts into the chat system, which will execute in the browsers of users viewing the game page. This can lead to unauthorized actions such as session hijacking, defacement, or other malicious activities impacting the integrity of the user experience.
What immediate steps should I take to mitigate this vulnerability?
Apply the fix identified by commit 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4 which sanitizes the playerID parameter in SubmitChat.php to prevent Stored XSS. Until the fix is applied, avoid using or exposing the vulnerable chat system to untrusted users.