CVE-2026-43900

Name of the Vulnerable Software and Affected Versions DeepChat versions prior to 1.0.4-beta.1

Description A Cross-Site Scripting (XSS) issue exists due to a discrepancy between the backend validation layer and the frontend browser rendering engine. The SVGSanitizer function (src/main/lib/svgSanitizer.ts) attempts to prevent script execution by scrubbing javascript: protocols using plain-text regular expressions. However, it does not account for HTML entity decoding before the v-html DOM insertion occurs within the SvgArtifact.vue component. An attacker can bypass the sanitizer by using obfuscated entities, such as javascript:alert(1), leading to arbitrary JavaScript execution when a victim interacts with the rendered SVG Element.

Recommendations Update to version 1.0.4-beta.1.