Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47733

CVE-2026-47733: Rocket.Chat XSS Vulnerability

CVE-2026-47733 is a cross-site scripting flaw in Rocket.Chat's ImageElement component that allows attackers to inject malicious JavaScript. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-47733 Overview

CVE-2026-47733 is a Cross-Site Scripting (XSS) vulnerability in Rocket.Chat, an open-source communications platform. The flaw affects the ImageElement component in the packages/gazzodown package across versions prior to 8.5.0. The component renders user-controlled src values directly into <a href> and <img src> attributes without protocol sanitization. An authenticated user can post a markdown image referencing a javascript: URL. When clicked on an older browser that still honors javascript: URLs in image contexts, the payload executes arbitrary JavaScript in the viewer's session. The issue is tracked under [CWE-79] and is fixed in version 8.5.0.

Critical Impact

Authenticated attackers can deliver stored XSS payloads through markdown images, executing JavaScript in another user's authenticated Rocket.Chat session on vulnerable browsers.

Affected Products

  • Rocket.Chat versions prior to 8.5.0
  • The ImageElement component in packages/gazzodown
  • Deployments accessed through legacy browsers that honor javascript: URLs

Discovery Timeline

  • 2026-06-24 - CVE-2026-47733 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-47733

Vulnerability Analysis

The vulnerability stems from inconsistent URL handling between two markdown-rendering components in the gazzodown package. The LinkSpan component applies sanitizeUrl to block dangerous schemes including javascript:, data:, and vbscript:. The ImageElement component omits this sanitization step and forwards the raw URL into both the <a href> and <img src> attributes. This asymmetry allows an authenticated user to craft markdown image syntax pointing to a javascript: URL. When another user clicks the rendered image on a browser that still evaluates javascript: URLs in anchor contexts, the script executes under the victim's origin and session.

Exploitation requires authentication, user interaction, and a browser that has not blocked legacy script-in-URL behavior. These constraints reduce the practical severity, but successful exploitation yields session-scoped script execution capable of reading chat content, exfiltrating tokens, or issuing API calls as the victim.

Root Cause

The root cause is missing protocol allowlisting in the ImageElement render path. The fix in version 8.5.0 routes the src value through the same sanitizeUrl helper already used by LinkSpan, ensuring javascript:, data:, and vbscript: schemes are stripped or neutralized before rendering.

Attack Vector

An authenticated attacker posts a markdown image such as ![alt](javascript:payload) in a channel or direct message. The server stores the message and distributes it to recipients. The client renders the image element with the raw URL preserved in href and src. A viewer using a vulnerable browser clicks the link, and the JavaScript payload executes in the Rocket.Chat origin.

No synthetic exploit code is published here. Refer to the Rocket.Chat GitHub Security Advisory GHSA-vvrf-fq54-q4pr for component-level details.

Detection Methods for CVE-2026-47733

Indicators of Compromise

  • Stored chat messages containing markdown image syntax with javascript:, data:, or vbscript: URL schemes.
  • Outbound requests from client browsers to attacker-controlled hosts originating from the Rocket.Chat origin.
  • Unexpected session token usage or API calls performed from a legitimate user's account shortly after viewing a channel.

Detection Strategies

  • Query message storage for content matching the regex !\[[^\]]*\]\((javascript|data|vbscript):.
  • Monitor browser console errors or Content Security Policy (CSP) violation reports referencing inline script execution.
  • Correlate authenticated API activity with recent message rendering events to identify session abuse.

Monitoring Recommendations

  • Enable and forward Rocket.Chat audit logs and reverse-proxy access logs to a centralized analytics platform.
  • Track the deployed Rocket.Chat version against the fixed release 8.5.0 to confirm patch coverage.
  • Alert on new external domains contacted by authenticated user sessions immediately after message viewing.

How to Mitigate CVE-2026-47733

Immediate Actions Required

  • Upgrade all Rocket.Chat servers to version 8.5.0 or later.
  • Audit recent messages for markdown image entries containing non-http(s) URL schemes and remove or quarantine them.
  • Notify users to update browsers to current releases that reject javascript: execution from anchor and image contexts.

Patch Information

The vulnerability is fixed in Rocket.Chat version 8.5.0. The patch routes ImageElementsrc values through the existing sanitizeUrl helper, matching the protocol allowlisting already enforced in LinkSpan. See the Rocket.Chat GitHub Security Advisory GHSA-vvrf-fq54-q4pr for the official advisory.

Workarounds

  • Enforce a strict Content Security Policy that disallows inline script execution and unsafe URL schemes.
  • Restrict message posting privileges to trusted users until the upgrade is complete.
  • Educate users to avoid clicking embedded images from untrusted senders in chat channels.
bash
# Configuration example: restrictive CSP header at the reverse proxy
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' https:; object-src 'none'; base-uri 'self'";

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.