Chatwoot · Chatwoot · CVE-2025-21628
**Name of the Vulnerable Software and Affected Versions**
Chatwoot versions prior to 3.16.0
**Description**
The issue concerns a lack of input sanitization for the `query operator` in conversation and contact filters endpoints. This allows any authenticated actor to run arbitrary SQL within the filter query by adding a tautological WHERE clause.
**Recommendations**
For versions prior to 3.16.0, update to version 3.16.0 to resolve the issue. As a temporary workaround, consider restricting access to the conversation and contact filters endpoints until the update is applied.