CVE-2025-8349 MEDIUM

CVE-2025-8349: Cross-Site Scripting (XSS) stored in Tawk Live Chat

Vendor Tawk
Product Live Chat
Weakness CWE-79 · XSS
Published October 20, 2025
Last update March 24, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Cross-site Scripting (XSS) stored vulnerability in Tawk Live Chat. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by uploading a malicious PDF with JavaScript payload through the chatbot. The PDF is stored by the application and subsequently displayed without proper sanitisation when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

Key dates

02Disclosure timeline

October 20, 2025 CVE published
March 24, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-13450 SourceCodester Online Shop Project register.php cross site scripting CVE-2023-48589 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79) CVE-2024-4716 Campcodes Complete Web-Based School Management System update_exam.php cross site scripting CVE-2024-56242 WordPress Arconix Shortcodes plugin <= 2.1.14 - Cross Site Scripting (XSS) vulnerability CVE-2026-25341 WordPress RSFirewall! plugin <= 1.1.45 - Cross Site Scripting (XSS) vulnerability