ChatGPT Unli Self Cross-Site Scripting Vulnerability
Vulnerability
A self cross-site scripting vulnerability has been identified in ChatGPT Unli, through version 2025-05-26. This vulnerability allows attackers to execute arbitrary code by sending a crafted SVG file to the chat interface. The issue can lead to cookie theft and remote account hijacking.
Impact
Exploitation of this vulnerability allows for self cross-site scripting, where a user inadvertently executes malicious scripts that could steal cookies containing session information and tokens, potentially leading to account hijacking.
Reproduction
To reproduce this vulnerability, a user must craft an SVG file containing a script element that accesses the document.cookie property. This file can be delivered through various channels such as email or instant messages. Once received, the user must paste the SVG payload into the ChatGPT Unli chat interface, triggering the execution of the embedded script.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.