Vulnerability Database

308,379

Total vulnerabilities in the database

CVE-2025-58768

DeepChat is a smart assistant uses artificial intelligence. Prior to version 0.3.5, in the Mermaid chart rendering component, there is a risky operation of directly using innerHTML to set user content. Therefore, any malicious content rendered via Mermaid will directly trigger the exploit chain, leading to command execution. This vulnerability is primarily caused by a failure to fully address the existing XSS issue in the project, leading to another exploit chain. The exploit chain is consistent with the report GHSA-hqr4-4gfc-5p2j, executing arbitrary JavaScript code via XSS and arbitrary commands via exposed IPC. Version 0.3.5 contains an updated fix.

Published: Sep 9, 2025
Updated: Nov 16, 2025
CVE: CVE-2025-58768
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.6
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWEs:

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
thinkinai / deepchat	-	0.3.5

https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-f7q5-vc93-wp6j

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo