CVE-2024-11441

MEDIUM

serge-chat/serge - Stored Cross-Site Scripting in Chat Prompt

Title source: llm
STIX 2.1

Description

A stored cross-site scripting (XSS) vulnerability exists in Serge version 0.9.0. The vulnerability is due to improper neutralization of input during web page generation in the chat prompt. An attacker can exploit this vulnerability by sending a crafted message containing malicious HTML/JavaScript code, which will be stored and executed whenever the chat is accessed, leading to unintended content being shown to the user and potential phishing attacks.

References (1)

Core 1
Core References

Scores

CVSS v3 6.1
EPSS 0.0037
EPSS Percentile 28.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
serge-chat/serge-chat/serge unspecified - latest
Published Mar 20, 2025
Tracked Since Feb 18, 2026