Chatwoot – Second Order Time-Based Blind SQL Injection via Custom Attribute Key

19/05/2026

The custom attribute definition API allows creating attributes with arbitrary attribute_key values without validation. When these attributes are used in conversation/contact filters, the key is directly interpolated into SQL queries in build_custom_attr_query, enabling stored SQL injection. An attacker can create a malicious custom attribute once, then trigger the injection whenever that attribute is used in a filter.

Joshua Martinelle Tue, 05/19/2026 – 07:17
– Read more

Monday	08:00 - 17:00
Tuesday	08:00 - 17:00
Wednesday	08:00 - 17:00
Thursday	08:00 - 17:00
Friday	08:00 - 17:00

Chatwoot – Second Order Time-Based Blind SQL Injection via Custom Attribute Key

Latest article

macOS Malware Installs Fake Google Software Update LaunchAgent for Persistence

CIRT insights: How to help prevent unauthorized account removals from AWS Organizations

Contractor’s public GitHub account exposed GovCloud and CISA credentials

Microsoft Confirms Windows Update Bug Blocking Security Fixes

EDITOR PICKS

macOS Malware Installs Fake Google Software Update LaunchAgent for Persistence

CIRT insights: How to help prevent unauthorized account removals from AWS...

Contractor’s public GitHub account exposed GovCloud and CISA credentials

POPULAR POSTS

Threats to users of adult websites in 2018

The World’s Most Popular Coding Language Happens to be Most Hackers’...

IT threat evolution Q2 2019

POPULAR CATEGORY

macOS Malware Installs Fake Google Software Update LaunchAgent for Persistence

CIRT insights: How to help prevent unauthorized account removals from AWS...

Contractor’s public GitHub account exposed GovCloud and CISA credentials