Vulnerability Details CVE-2025-21628
Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the filter query by adding a tautological WHERE clause. This issue is patched with v3.16.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 48.0%
CVSS Severity
CVSS v3 Score 9.1
References
Products affected by CVE-2025-21628
-
cpe:2.3:a:chatwoot:chatwoot:2.16.1
-
cpe:2.3:a:chatwoot:chatwoot:2.17.0
-
cpe:2.3:a:chatwoot:chatwoot:2.17.1
-
cpe:2.3:a:chatwoot:chatwoot:2.18.0
-
cpe:2.3:a:chatwoot:chatwoot:3.0.0
-
cpe:2.3:a:chatwoot:chatwoot:3.1.0
-
cpe:2.3:a:chatwoot:chatwoot:3.1.1
-
cpe:2.3:a:chatwoot:chatwoot:3.10.0
-
cpe:2.3:a:chatwoot:chatwoot:3.10.1
-
cpe:2.3:a:chatwoot:chatwoot:3.10.2
-
cpe:2.3:a:chatwoot:chatwoot:3.11.0
-
cpe:2.3:a:chatwoot:chatwoot:3.11.1
-
cpe:2.3:a:chatwoot:chatwoot:3.12.0
-
cpe:2.3:a:chatwoot:chatwoot:3.13.0
-
cpe:2.3:a:chatwoot:chatwoot:3.14.0
-
cpe:2.3:a:chatwoot:chatwoot:3.14.1
-
cpe:2.3:a:chatwoot:chatwoot:3.15.0
-
cpe:2.3:a:chatwoot:chatwoot:3.2.0
-
cpe:2.3:a:chatwoot:chatwoot:3.3.0
-
cpe:2.3:a:chatwoot:chatwoot:3.3.1
-
cpe:2.3:a:chatwoot:chatwoot:3.4.0
-
cpe:2.3:a:chatwoot:chatwoot:3.5.0
-
cpe:2.3:a:chatwoot:chatwoot:3.5.1
-
cpe:2.3:a:chatwoot:chatwoot:3.5.2
-
cpe:2.3:a:chatwoot:chatwoot:3.6.0
-
cpe:2.3:a:chatwoot:chatwoot:3.7.0
-
cpe:2.3:a:chatwoot:chatwoot:3.8.0
-
cpe:2.3:a:chatwoot:chatwoot:3.9.0