CVE-2022-24799 [Critical] | XSS in Wire-Webapp

wire-webapp is the web application interface for the wire messaging service. Insufficient escaping in markdown “code highlighting” in the wire-webapp resulted in the possibility of injecting and executing arbitrary HTML code and thus also JavaScript. If a user receives and views such a malicious message, arbitrary code is injected and executed in the context of the victim. This allows the attacker to fully control the user account. Wire-desktop clients that are connected to a vulnerable wire-webapp version are also vulnerable to this attack. The issue has been fixed in wire-webapp 2022-03-30-production.0 and is already deployed on all Wire managed services. On-premise instances of wire-webapp need to be updated to docker tag 2022-03-30-production.0-v0.29.2-0-d144552 or wire-server 2022-03-30 (chart/4.8.0), so that their applications are no longer affected. There are no known workarounds for this issue. ### Patches * The issue has been fixed in wire-webapp **2022-03-30-production.0** and is already deployed on all Wire managed services. * On-premise instances of wire-webapp need to be updated to docker tag **2022-03-30-production.0-v0.29.2-0-d144552** or wire-server **2022-03-30 (chart/4.8.0)**, so that their applications are no longer affected. ### Workarounds * No workarounds known ### For more information If you have any questions or comments about this advisory feel free to email us at [[email protected]](mailto:[email protected]) ### Credits We thank [Posix](https://twitter.com/po6ix) for reporting this vulnerability

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.56%	0.92%	+0.37%
2	2025-05-04	0.51%	0.56%	+0.05%
3	2025-04-28	—	0.51%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.56%

0.92%

+0.37%

2025-05-04

0.51%

0.56%

+0.05%

2025-04-28

—

0.51%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
9.6	3.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.8	6.0	[email protected]
6.1	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	2.8	2.7	[email protected]
4.3	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:N/I:P/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:N) No availability impact.	8.6	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

9.6

3.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.8

6.0

[email protected]

6.1

3.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N): Service keeps running; no real outage angle.

2.8

2.7

[email protected]

4.3

2.0

MEDIUM

AV:N/AC:M/Au:N/C:N/I:P/A:N Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:N): No availability impact.

8.6

2.9

[email protected]

Affected software / configurations for CVE-2022-24799

Vendor	Product	Version	Raw CPE
wire	wire-webapp	2016-07-29-17-00	cpe:2.3:a:wire:wire-webapp:2016-07-29-17-00:::::::*
wire	wire-webapp	2016-08-04-15-44	cpe:2.3:a:wire:wire-webapp:2016-08-04-15-44:::::::*
wire	wire-webapp	2016-08-23-09-31	cpe:2.3:a:wire:wire-webapp:2016-08-23-09-31:::::::*
wire	wire-webapp	2016-08-24-10-10	cpe:2.3:a:wire:wire-webapp:2016-08-24-10-10:::::::*
wire	wire-webapp	2016-08-29-14-54	cpe:2.3:a:wire:wire-webapp:2016-08-29-14-54:::::::*
wire	wire-webapp	2016-09-08-15-38	cpe:2.3:a:wire:wire-webapp:2016-09-08-15-38:::::::*
wire	wire-webapp	2016-09-19-14-01	cpe:2.3:a:wire:wire-webapp:2016-09-19-14-01:::::::*
wire	wire-webapp	2016-09-28-14-58	cpe:2.3:a:wire:wire-webapp:2016-09-28-14-58:::::::*
wire	wire-webapp	2016-10-11-15-34	cpe:2.3:a:wire:wire-webapp:2016-10-11-15-34:::::::*
wire	wire-webapp	2016-10-18-08-10	cpe:2.3:a:wire:wire-webapp:2016-10-18-08-10:::::::*
wire	wire-webapp	2016-10-25-08-17	cpe:2.3:a:wire:wire-webapp:2016-10-25-08-17:::::::*
wire	wire-webapp	2016-10-26-18-58	cpe:2.3:a:wire:wire-webapp:2016-10-26-18-58:::::::*
wire	wire-webapp	2016-11-03-16-09	cpe:2.3:a:wire:wire-webapp:2016-11-03-16-09:::::::*
wire	wire-webapp	2016-11-08-15-06	cpe:2.3:a:wire:wire-webapp:2016-11-08-15-06:::::::*
wire	wire-webapp	2016-12-01-12-57	cpe:2.3:a:wire:wire-webapp:2016-12-01-12-57:::::::*
wire	wire-webapp	2016-12-13-15-12	cpe:2.3:a:wire:wire-webapp:2016-12-13-15-12:::::::*
wire	wire-webapp	2017-01-23-12-12	cpe:2.3:a:wire:wire-webapp:2017-01-23-12-12:::::::*
wire	wire-webapp	2017-02-01-14-49	cpe:2.3:a:wire:wire-webapp:2017-02-01-14-49:::::::*
wire	wire-webapp	2017-02-17-10-10	cpe:2.3:a:wire:wire-webapp:2017-02-17-10-10:::::::*
wire	wire-webapp	2017-02-24-13-06	cpe:2.3:a:wire:wire-webapp:2017-02-24-13-06:::::::*
wire	wire-webapp	2017-03-08-17-32	cpe:2.3:a:wire:wire-webapp:2017-03-08-17-32:::::::*
wire	wire-webapp	2017-03-14-15-05	cpe:2.3:a:wire:wire-webapp:2017-03-14-15-05:::::::*
wire	wire-webapp	2017-03-21-11-00	cpe:2.3:a:wire:wire-webapp:2017-03-21-11-00:::::::*
wire	wire-webapp	2017-03-27-17-10	cpe:2.3:a:wire:wire-webapp:2017-03-27-17-10:::::::*
wire	wire-webapp	2017-03-28-14-23	cpe:2.3:a:wire:wire-webapp:2017-03-28-14-23:::::::*
wire	wire-webapp	2017-04-05-16-58	cpe:2.3:a:wire:wire-webapp:2017-04-05-16-58:::::::*
wire	wire-webapp	2017-04-07-09-42	cpe:2.3:a:wire:wire-webapp:2017-04-07-09-42:::::::*
wire	wire-webapp	2017-04-19-12-31	cpe:2.3:a:wire:wire-webapp:2017-04-19-12-31:::::::*
wire	wire-webapp	2017-04-20-15-54	cpe:2.3:a:wire:wire-webapp:2017-04-20-15-54:::::::*
wire	wire-webapp	2017-05-03-10-29	cpe:2.3:a:wire:wire-webapp:2017-05-03-10-29:::::::*
wire	wire-webapp	2017-05-19-16-10	cpe:2.3:a:wire:wire-webapp:2017-05-19-16-10:::::::*
wire	wire-webapp	2017-05-26-08-16	cpe:2.3:a:wire:wire-webapp:2017-05-26-08-16:::::::*
wire	wire-webapp	2017-05-26-12-03	cpe:2.3:a:wire:wire-webapp:2017-05-26-12-03:::::::*
wire	wire-webapp	2017-06-01-10-02	cpe:2.3:a:wire:wire-webapp:2017-06-01-10-02:::::::*
wire	wire-webapp	2017-06-07-15-03	cpe:2.3:a:wire:wire-webapp:2017-06-07-15-03:::::::*
wire	wire-webapp	2017-06-07-18-05	cpe:2.3:a:wire:wire-webapp:2017-06-07-18-05:::::::*
wire	wire-webapp	2017-06-22-12-18	cpe:2.3:a:wire:wire-webapp:2017-06-22-12-18:::::::*
wire	wire-webapp	2017-06-28-15-13	cpe:2.3:a:wire:wire-webapp:2017-06-28-15-13:::::::*
wire	wire-webapp	2017-07-06-12-44	cpe:2.3:a:wire:wire-webapp:2017-07-06-12-44:::::::*
wire	wire-webapp	2017-07-06-15-48	cpe:2.3:a:wire:wire-webapp:2017-07-06-15-48:::::::*
wire	wire-webapp	2017-07-18-12-50	cpe:2.3:a:wire:wire-webapp:2017-07-18-12-50:::::::*
wire	wire-webapp	2017-08-03-15-19	cpe:2.3:a:wire:wire-webapp:2017-08-03-15-19:::::::*
wire	wire-webapp	2017-08-04-09-04	cpe:2.3:a:wire:wire-webapp:2017-08-04-09-04:::::::*
wire	wire-webapp	2017-08-04-15-01	cpe:2.3:a:wire:wire-webapp:2017-08-04-15-01:::::::*
wire	wire-webapp	2017-08-08-15-09	cpe:2.3:a:wire:wire-webapp:2017-08-08-15-09:::::::*
wire	wire-webapp	2017-08-24-10-57	cpe:2.3:a:wire:wire-webapp:2017-08-24-10-57:::::::*
wire	wire-webapp	2017-08-31-14-21	cpe:2.3:a:wire:wire-webapp:2017-08-31-14-21:::::::*
wire	wire-webapp	2017-09-26-07-18	cpe:2.3:a:wire:wire-webapp:2017-09-26-07-18:::::::*
wire	wire-webapp	2017-09-26-13-00	cpe:2.3:a:wire:wire-webapp:2017-09-26-13-00:::::::*
wire	wire-webapp	2017-10-09-08-42	cpe:2.3:a:wire:wire-webapp:2017-10-09-08-42:::::::*
wire	wire-webapp	2017-10-19-10-45	cpe:2.3:a:wire:wire-webapp:2017-10-19-10-45:::::::*
wire	wire-webapp	2017-10-25-07-08	cpe:2.3:a:wire:wire-webapp:2017-10-25-07-08:::::::*
wire	wire-webapp	2017-11-07-08-50	cpe:2.3:a:wire:wire-webapp:2017-11-07-08-50:::::::*
wire	wire-webapp	2017-11-10-10-41	cpe:2.3:a:wire:wire-webapp:2017-11-10-10-41:::::::*
wire	wire-webapp	2017-12-04-10-23	cpe:2.3:a:wire:wire-webapp:2017-12-04-10-23:::::::*
wire	wire-webapp	2017-12-04-13-34	cpe:2.3:a:wire:wire-webapp:2017-12-04-13-34:::::::*
wire	wire-webapp	2017-12-07-11-13	cpe:2.3:a:wire:wire-webapp:2017-12-07-11-13:::::::*
wire	wire-webapp	2017-12-20-12-48	cpe:2.3:a:wire:wire-webapp:2017-12-20-12-48:::::::*
wire	wire-webapp	2018-01-24-18-11	cpe:2.3:a:wire:wire-webapp:2018-01-24-18-11:::::::*
wire	wire-webapp	2018-02-01-10-26	cpe:2.3:a:wire:wire-webapp:2018-02-01-10-26:::::::*
wire	wire-webapp	2018-02-16-07-54	cpe:2.3:a:wire:wire-webapp:2018-02-16-07-54:::::::*
wire	wire-webapp	2018-03-12-11-41	cpe:2.3:a:wire:wire-webapp:2018-03-12-11-41:::::::*
wire	wire-webapp	2018-04-06-07-28	cpe:2.3:a:wire:wire-webapp:2018-04-06-07-28:::::::*
wire	wire-webapp	2018-04-06-09-44	cpe:2.3:a:wire:wire-webapp:2018-04-06-09-44:::::::*
wire	wire-webapp	2018-04-09-10-16	cpe:2.3:a:wire:wire-webapp:2018-04-09-10-16:::::::*
wire	wire-webapp	2018-04-12-06-45	cpe:2.3:a:wire:wire-webapp:2018-04-12-06-45:::::::*
wire	wire-webapp	2018-04-12-11-12	cpe:2.3:a:wire:wire-webapp:2018-04-12-11-12:::::::*
wire	wire-webapp	2018-04-12-13-37	cpe:2.3:a:wire:wire-webapp:2018-04-12-13-37:::::::*
wire	wire-webapp	2018-04-24-14-58	cpe:2.3:a:wire:wire-webapp:2018-04-24-14-58:::::::*
wire	wire-webapp	2018-05-04-07-18	cpe:2.3:a:wire:wire-webapp:2018-05-04-07-18:::::::*
wire	wire-webapp	2018-05-24-15-49	cpe:2.3:a:wire:wire-webapp:2018-05-24-15-49:::::::*
wire	wire-webapp	2018-06-19-08-04	cpe:2.3:a:wire:wire-webapp:2018-06-19-08-04:::::::*
wire	wire-webapp	2018-07-03-08-25	cpe:2.3:a:wire:wire-webapp:2018-07-03-08-25:::::::*
wire	wire-webapp	2018-07-16-08-55	cpe:2.3:a:wire:wire-webapp:2018-07-16-08-55:::::::*
wire	wire-webapp	2018-07-16-14-05	cpe:2.3:a:wire:wire-webapp:2018-07-16-14-05:::::::*
wire	wire-webapp	2018-07-26-08-54	cpe:2.3:a:wire:wire-webapp:2018-07-26-08-54:::::::*
wire	wire-webapp	2018-08-06-08-03	cpe:2.3:a:wire:wire-webapp:2018-08-06-08-03:::::::*
wire	wire-webapp	2018-08-22-07-38	cpe:2.3:a:wire:wire-webapp:2018-08-22-07-38:::::::*
wire	wire-webapp	2018-08-31-06-54	cpe:2.3:a:wire:wire-webapp:2018-08-31-06-54:::::::*
wire	wire-webapp	2018-09-07-14-18	cpe:2.3:a:wire:wire-webapp:2018-09-07-14-18:::::::*

References for CVE-2022-24799

URL	Tags
https://github.com/wireapp/wire-webapp/commit/d14455252a949dc83f36d45e2babbdd9328af2a4	Patch Third Party Advisory
https://github.com/wireapp/wire-webapp/releases/tag/2022-03-30-production.0	Third Party Advisory
https://github.com/wireapp/wire-webapp/security/advisories/GHSA-5568-rfh8-vmhq	Third Party Advisory

URL

CVE-2022-24799 | Cross Site Scripting in Wire Webapp

Exploit prediction scoring system (EPSS) score for CVE-2022-24799

Common vulnerability scoring system (CVSS) metrics for CVE-2022-24799

Weakness enumeration for CVE-2022-24799

Affected software / configurations for CVE-2022-24799

References for CVE-2022-24799