DeepChat — CVE-2026-43899 RCE via Electron Pop-up Bypass & CVE-2026-43900 XSS
AI relevance: DeepChat is an open-source AI agent platform that unifies models, tools, and agents — its Electron shell exposes users to both remote code execution and cross-site scripting via the same content pipeline AI agents rely on.
What happened
- CVE-2026-43899 (CVSS 9.6): Incomplete mitigation of a prior vulnerability (CVE-2025-55733) left a critical Electron pop-up bypass in place. The fix restricted
api.openExternal()in the preload script but failed to patch native Electron window handlers. - An attacker sends a Markdown link with
target="_blank"pointing to a malicious URL. DeepChat'stabPresenter.tsintercepts it, skips theisValidExternalUrl()check, and passes the URL directly toshell.openExternal(). - Through custom protocol handlers registered on the victim's system, this leads to arbitrary code execution.
- Compromised AI endpoints can also deliver the malicious Markdown — meaning the attack surface includes the model's responses, not just user input.
- CVE-2026-43900: A separate critical stored XSS vulnerability in the same platform, allowing script injection through rendered content.
- Both affect versions prior to v1.0.4-beta.1. Fixed in that release.
- DeepChat joins a growing list of Electron-based AI tools with protocol-handler RCE chains (cf. CVE-2025-67744, the earlier Mermaid XSS → IPC exposure).
Why it matters
This is the third critical vulnerability class in DeepChat's Electron shell — each time patched incompletely. The pattern is familiar: AI platforms that render untrusted model output inside Electron apps are essentially building content pipelines that double as attack surfaces. A compromised or adversarial AI endpoint can weaponize the same Markdown rendering that the product relies on for its core UX.
What to do
- Update DeepChat to v1.0.4-beta.1 or newer immediately.
- For Electron-based AI tools generally: audit all
shell.openExternal()call sites and verify every code path validates URLs against an allowlist — not just the preload script. - Disable custom protocol handlers on machines running AI agent apps unless explicitly needed.