Multiple vulnerabilities in LiveHelperChat
Posted date 20/03/2026
Identificador
INCIBE-2026-209
Importance
4 - High
Affected Resources
LiveHelperChat, 4.81 version.
Description
INCIBE has coordinated the disclosure of 7 vulnerabilities: 1 critical, 4 high, and 2 of medium severity, affecting LiveHelperChat, an open-source live chat platform. The vulnerabilities were discovered by Pedro J. Núñez-Cacho Fuentes.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:
- CVE-2026-4380: CVSS v4.0: 9.2 | CVSS AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N | CWE-79
- CVE-2026-4381: CVSS v4.0: 8.6 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | CWE-915
- CVE-2026-4382: CVSS v4.0: 7.7 | CVSS AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-502
- CVE-2026-4383: CVSS v4.0: 7.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N | CWE-863
- CVE-2026-4384: CVSS v4.0: 7.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N | CWE-862
- CVE-2026-4385: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N | CWE-918
- CVE-2026-4386: CVSS v4.0: 5.3 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-862
Solution
The vulnerabilities have been fixed by the LiveHelperChat team in version 4.82.
Detail
- CVE-2026-4380: a stored Cross-Site Scripting (XSS) vulnerability caused by Content-Type manipulation in LiveHelperChat, which, if exploited, could allow an attacker to gain full control of the application (by creating administrator accounts) by uploading a malicious file with a modified header to force the execution of JavaScript code in the victim's browser.
- CVE-2026-4381: an arbitrary file read vulnerability due to mass assignment in LiveHelperChat, which could allow an attacker to access sensitive system files (such as credentials) by tampering with path parameters (file_path and name) via REST API requests without validation.
- CVE-2026-4382: insecure deserialization (PHP object injection) in LiveHelperChat, which, if exploited, could allow an attacker to remotely execute code (by deploying a webshell) by inserting serialized payloads directly into the database after extracting the system's credentials.
- CVE-2026-4383: a reverse logic access control bypass in LiveHelperChat, which, if exploited, could allow an attacker to delete any chat from the system by sending delete requests to the REST API using a low-privileged account that explicitly lacks those permissions.
- CVE-2026-4384: an access control vulnerability in LiveHelperChat, which could allow an attacker to intercept sensitive chat data (messages, files, and user data) by unauthorizedly modifying the URLs of outgoing webhooks via the REST API using an account without privileges.
- CVE-2026-4385: Server-Side Request Forgery (SSRF) in LiveHelperChat, which, if exploited, could allow an attacker to make unauthorized network requests from the server to internal or external systems by sending user-controlled URLs to a public webhook configured to download images without proper validation.
- CVE-2026-4386: Insecure Direct Object Reference (IDOR) in LiveHelperChat, which, if exploited, could allow an attacker to enumerate and extract metadata from restricted conversations (such as dates and departments) by unauthorized access to chat identifiers in the message history controller using an operator account with basic privileges.
CVE
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2026-4380 | Crítica | No | LiveHelperChat |
| CVE-2026-4381 | Alta | No | LiveHelperChat |
| CVE-2026-4382 | Alta | No | LiveHelperChat |
| CVE-2026-4383 | Alta | No | LiveHelperChat |
| CVE-2026-4384 | Alta | No | LiveHelperChat |
| CVE-2026-4385 | Media | No | LiveHelperChat |
| CVE-2026-4386 | Media | No | LiveHelperChat |
References list
Etiquetas
