PT-2026-43348 · Chatwoot · Chatwoot
Tenbbughunters
+1
·
Published
2026-05-26
·
Updated
2026-05-26
·
CVE-2026-44706
CVSS v3.1
8.5
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Chatwoot versions 2.2.0 through 4.11.1
Description
An issue exists in the conversation and contact filter APIs where user-supplied values in the
values field of the filter payload are interpolated directly into SQL queries without parameterization when filtering by custom attributes of type date or number using the is greater than or is less than operators. This allows an authenticated user with account access to execute arbitrary SQL via time-based blind injection. Affected endpoints include '/api/v1/accounts/{account id}/conversations/filter', '/api/v1/accounts/{account id}/contacts/filter', and '/api/v1/accounts/{account id}/custom attribute definitions'.Recommendations
Update to version 4.11.2.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Chatwoot