A Pre-Account Takeover (Pre-ATO) vulnerability in Chatwoot's authentication flow allowed attackers to pre-register email addresses they did not own and retain persistent access even after legitimate owners signed in via OAuth. The flaw existed because email confirmation was not enforced before accounts became usable, and the OAuth flow silently confirmed existing accounts without invalidating attacker-set [truncated]
A SQL injection vulnerability in Chatwoot's conversation and contact filter APIs allows authenticated users to execute arbitrary SQL via time-based blind injection. The flaw exists in versions 2.2.0 through 4.11.1, affecting filter endpoints when using `is_greater_than` or `is_less_than` operators on custom date or number attributes. User-supplied values in the filter payload are interpolated directly int [truncated]
