Stored Cross-Site Scripting (XSS) in TelegAI (telegai.com) 2025-05-26 in its chat component and character container component. An attacker can achieve arbitrary client-side script execution by crafting an AI Character with SVG XSS payloads in either description, greeting, example dialog, or system prompt(instructing the LLM to embed XSS payload in its chat response). When a user interacts with such a malicious AI Character or just browse its profile, the script executes in the user's browser. Successful exploitation can lead to the theft of sensitive information, such as session tokens, potentially resulting in account hijacking.
References
| Link | Resource |
|---|---|
| https://github.com/Secsys-FDU/CVE-2025-51860 |
Configurations
No configuration.
History
25 Jul 2025, 15:29
| Type | Values Removed | Values Added |
|---|---|---|
| Summary |
|
22 Jul 2025, 16:15
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
| CWE | CWE-79 |
22 Jul 2025, 15:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-07-22 15:15
Updated : 2025-07-25 15:29
NVD link : CVE-2025-51860
Mitre link : CVE-2025-51860
CVE.ORG link : CVE-2025-51860
JSON object : View
Products Affected
No product.
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')