CVE-2025-51860

Name of the Vulnerable Software and Affected Versions TelegAI (affected versions not specified)

Description The application contains a stored cross-site scripting (XSS) issue in its chat component and character container component. An attacker can execute arbitrary client-side scripts by creating an AI Character with SVG XSS payloads within the description, greeting, example dialog, or system prompt. This allows the LLM to embed XSS payloads in its chat response. When a user interacts with a malicious AI Character or views its profile, the script executes in the user's browser, potentially leading to the theft of sensitive information, such as session tokens, and account hijacking.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.