LogicalBreach Academy

XSS Bypass to Zero Click Account Takeover in AI Chatbot | Free Bug Bounty Writeup | LogicalBreach Academy

Writeups Cheatsheets Tools Collections Authors Noc Pricing

Back

Cross-site Scripting (XSS) - DOM (CWE-79)CVSS 7.5Hard

XSS Bypass to Zero Click Account Takeover in AI Chatbot

heroxo9868

March 17, 2026

39 views

Save

Vulnerability Summary

Poor HTML sanitization combined with a file upload feature led to a stored XSS that allowed administrator accounts to be compromised.

Application Overview

Let’s refer to the company as A.Corp.

Instead of integrating a third-party chatbot, A.Corp developed its own AI assistant from the ground up:

The model was trained internally.
The user interface was custom-built.
The guardrails and safety controls were implemented by their team.

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

heroxo9868

€470 Documented

Profile →

Related Writeups

pyus3r

DOM XSS to High Severity via Credential Phishing Overlay

A DOM-based XSS vulnerability was discovered affecting multiple endpoints within a financial institution's web application. The target_route parameter was being processed client-side without proper validation or sanitization. This flaw allowed an attacker to execute arbitrary JavaScript code by utilizing the javascript: URI scheme.

Read Writeup →

hackerone-reports

DOM XSS in `fizzy.do` import filename preview enables one-click victim account takeover

HackerOne disclosed report --> https://hackerone.com/reports/3608199 by xavlimsg

Read Writeup →

Discussion

No comments yet.

Be the first to share your thoughts

Premium writeups about bug bounty hunting and web security.
Written by real security researchers.

Navigation

Writeups Cheatsheets Tools Authors Noc Pricing

Contactcontact@logicalbreach.com

RSS FeedPrivacy PolicyTerms of Service