Shivam Mishra

4 exploits Active since Apr 2023
CVE-2026-44707 WRITEUP MEDIUM WRITEUP
Chatwoot: Pre-Account Takeover via OAuth on Unconfirmed Accounts
Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not own and set a password. If the legitimate owner of that email later signed in to Chatwoot using Google OAuth (or another OmniAuth provider), the OAuth flow silently confirmed the existing account without invalidating the attacker's pre-set credentials. The attacker could then continue to log in with the password they had originally chosen and access any data the victim subsequently entered into the dashboard, including PII, API keys, and other sensitive information. This vulnerability is fixed in 4.13.0.
CVSS 6.8
CVE-2025-21628 WRITEUP CRITICAL WRITEUP
Chatwoot 2.16.1-3.15.9 - Authenticated SQL Injection via Query Operator Parameter
Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the filter query by adding a tautological WHERE clause. This issue is patched with v3.16.0.
CVSS 9.1
CVE-2023-2109 WRITEUP MEDIUM WRITEUP
GitHub repository chatwoot/chatwoot <2.14.0 - XSS
Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.14.0.
CVSS 6.1
CVE-2024-0640 WRITEUP MEDIUM WRITEUP
chatwoot 3.0.0-3.5.1 - Stored Cross-Site Scripting via Dashboard App Settings
A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access the affected dashboard app. The issue is fixed in version 3.5.2.
CVSS 4.8