Auth bypass in Livehelperchat

CVE-2026-27954

Live Helper Chat is an open-source application that enables live support websites. In versions up to and including 4.52, three chat action endpoints (holdaction.php, blockuser.php, and transferchat.php) load chat objects by ID without cal…

Vulnerability class: Broken Access Control

EPSS: 0.000 (11.0th percentile) — read the EPSS interpretation.

Affected products

Livehelperchat — versions <= 4.52

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/LiveHelperChat/livehelperchat/security/advisories/GHSA-87wc-2p86-h3w7 (x_refsource_CONFIRM)