Cross-Site Scripting Vulnerability in DeepChat Open-Source AI Agent Platform
CVE-2026-43900

9.3CRITICAL

Key Information:

Vendor

Thinkinaixyz

Status
Deepchat
Vendor
CVE Published:
11 May 2026

What is CVE-2026-43900?

DeepChat, an open-source artificial intelligence agent platform, contains a Cross-Site Scripting (XSS) vulnerability prior to version v1.0.4-beta.1. This issue arises from a mismatch between the backend validation and frontend rendering, allowing attackers to execute arbitrary JavaScript. The SVGSanitizer inadequately scrubs script execution via JavaScript protocols, neglecting HTML entity decoding in the Vue.js component. As a result, attackers can leverage obfuscated SVG artifacts to bypass sanitization, leading to potential exploitation when victims interact with the compromised SVG element. The vulnerability is resolved in DeepChat v1.0.4-beta.1.

Affected Version(s)

deepchat < 1.0.4-beta.1

References

https://github.com/ThinkInAIXYZ/deepchat/security/advisor...
x_refsource_CONFIRM

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.