CVE-2026-47733
Received Received - Intake
Stored XSS in Rocket.Chat via Unsanitized Image Markdown

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, the ImageElement component in packages/gazzodown renders user-controlled src values directly into <a href> and <img src> attributes without protocol sanitization. Unlike the analogous LinkSpan component β€” which uses sanitizeUrl to block javascript:, data:, and vbscript: protocols β€” ImageElement passes the raw URL through unchanged. An authenticated user can post a markdown image with a javascript: URL that, if clicked on an older browser, would execute arbitrary JavaScript in the viewer's session. This vulnerability is fixed in 8.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-47733
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rocket.chat imageelement to 8.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Rocket.Chat versions prior to 8.5.0 in the ImageElement component. The component renders user-controlled src values directly into <a href> and <img src> attributes without sanitizing the protocol. Unlike a similar component that blocks dangerous protocols like javascript:, data:, and vbscript:, ImageElement allows raw URLs to pass through unchanged.

An authenticated user can post a markdown image with a javascript: URL. If another user clicks on this image link using an older browser, arbitrary JavaScript code could execute in the viewer's session, potentially compromising their security.

This issue was fixed in Rocket.Chat version 8.5.0.

Impact Analysis

The vulnerability can lead to the execution of arbitrary JavaScript code in the session of a user who clicks on a malicious image link posted by an authenticated user. This could result in session hijacking, data theft, or other malicious actions performed within the context of the affected user's session.

Because the attack requires user interaction (clicking the malicious image) and an older browser, the risk is somewhat limited but still significant, especially in environments where users may not be aware of the threat.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Rocket.Chat to version 8.5.0 or later, where the issue with the ImageElement component rendering user-controlled src values without protocol sanitization has been fixed.

Until the upgrade is applied, restrict authenticated users from posting markdown images with potentially dangerous javascript: URLs to prevent arbitrary JavaScript execution in viewers' sessions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47733. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart