CVE-2026-47733
Deferred Deferred - Pending Action

Stored XSS in Rocket.Chat via Unsanitized Image Markdown

Vulnerability report for CVE-2026-47733, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, the ImageElement component in packages/gazzodown renders user-controlled src values directly into <a href> and <img src> attributes without protocol sanitization. Unlike the analogous LinkSpan component β€” which uses sanitizeUrl to block javascript:, data:, and vbscript: protocols β€” ImageElement passes the raw URL through unchanged. An authenticated user can post a markdown image with a javascript: URL that, if clicked on an older browser, would execute arbitrary JavaScript in the viewer's session. This vulnerability is fixed in 8.5.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rocket.chat imageelement to 8.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Rocket.Chat versions prior to 8.5.0 in the ImageElement component. The component renders user-controlled src values directly into <a href> and <img src> attributes without sanitizing the protocol. Unlike a similar component that blocks dangerous protocols like javascript:, data:, and vbscript:, ImageElement allows raw URLs to pass through unchanged.

An authenticated user can post a markdown image with a javascript: URL. If another user clicks on this image link using an older browser, arbitrary JavaScript code could execute in the viewer's session, potentially compromising their security.

This issue was fixed in Rocket.Chat version 8.5.0.

Impact Analysis

The vulnerability can lead to the execution of arbitrary JavaScript code in the session of a user who clicks on a malicious image link posted by an authenticated user. This could result in session hijacking, data theft, or other malicious actions performed within the context of the affected user's session.

Because the attack requires user interaction (clicking the malicious image) and an older browser, the risk is somewhat limited but still significant, especially in environments where users may not be aware of the threat.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Rocket.Chat to version 8.5.0 or later, where the issue with the ImageElement component rendering user-controlled src values without protocol sanitization has been fixed.

Until the upgrade is applied, restrict authenticated users from posting markdown images with potentially dangerous javascript: URLs to prevent arbitrary JavaScript execution in viewers' sessions.

Compliance Impact

The vulnerability in Rocket.Chat's ImageElement component allows an authenticated user to embed malicious javascript: URLs that can execute arbitrary JavaScript in the viewer's session on vulnerable browsers. This could lead to stored cross-site scripting (XSS), session hijacking, or credential theft.

Such security issues can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of user data and prevention of unauthorized access or data breaches. Exploitation of this vulnerability could result in unauthorized access to personal or sensitive information, thereby potentially violating these regulations.

Detection Guidance

This vulnerability involves malicious javascript: URLs embedded in markdown images within Rocket.Chat messages. To detect it on your system, you can search for markdown image syntax containing javascript: URLs in the message database or logs.

  • Query your Rocket.Chat message database for markdown image tags with src attributes starting with "javascript:".
  • Example command to search in a MongoDB Rocket.Chat message collection:

db.rocketchat_message.find({msg: /!\[.*\]\(javascript:/i})

  • Alternatively, search log files or exported messages for the pattern '![](' followed by 'javascript:' URLs.
  • Monitor user-submitted markdown images for suspicious protocols like javascript:, data:, or vbscript: in the src attribute.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47733. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart