HackerOne Disclosed Reports - 2026-07-16

0 Replies, 6 Views

Logo
Medium
resolved

Stored XSS in Rocket.Chat HTML File Export — Unauthenticated Entry via LiveChat


Bug reported by Denis Rostilov was disclosed at July 16, 2026, 5:02 am   |   Cross-site Scripting (XSS) - Stored

A vulnerability was discovered in the HTML file export feature of Rocket.Chat. The vulnerability allowed an attacker to inject arbitrary JavaScript code that would execute when the exported HTML file was opened. The root cause was that the application did not properly sanitize or escape user-supplied data before including it in the exported HTML. As a result, an unauthenticated attacker could leverage the vulnerability to perform actions such as data exfiltration and credential phishing.


[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]

Messages In This Thread
HackerOne disclosed reports - 2026-07-16 - by hashXploiter - Yesterday, 12:30 PM



Users browsing this thread: 1 Guest(s)