OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation
Description
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: DeepChat
PRODUCT: DeepChat AI Platform
AFFECTED_VERSIONS: Prior to v1.0.4-beta.1
---END_METADATA---
Description Summary:
A Cross-Site Scripting (XSS) vulnerability exists in DeepChat due to improper sanitization of SVG artifacts, allowing arbitrary JavaScript execution.
Executive Summary:
An unauthenticated attacker can execute arbitrary JavaScript in the context of a user's browser by exploiting a sanitization bypass in DeepChat’s SVG handling.
Vulnerability Details
CVE-ID: CVE-2026-43900
Affected Software: DeepChat DeepChat AI Platform
Affected Versions: Prior to v1.0.4-beta.1
Vulnerability: This is a Cross-Site Scripting (XSS) vulnerability caused by the failure to decode HTML entities before rendering SVG elements. An unauthenticated attacker can inject obfuscated JavaScript protocols that bypass the
SVGSanitizerto execute code in the victim's browser session.Business Impact
Successful exploitation allows attackers to steal session cookies, perform actions on behalf of the user, or redirect users to malicious sites. Given the 9.3 CVSS score, this represents a severe risk to user data integrity and platform trust.
Remediation Plan
Immediate Action: Upgrade DeepChat to version 1.0.4-beta.1 or later immediately.
Proactive Monitoring: Monitor browser-side error logs for unexpected script execution attempts and inspect user-submitted SVG content for suspicious HTML entities.
Compensating Controls: Implement a strict Content Security Policy (CSP) to restrict the execution of inline scripts and prevent unauthorized external resource loading.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of May 11, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
The vulnerability presents a high risk of browser-based attacks. Organizations should prioritize patching to version 1.0.4-beta.1 to eliminate the sanitization flaw and protect users from credential theft and session hijacking.