Technical description
Versions ≤2.7.1 parse custom <iframe_render> tags from LLM responses or Application Prologue configurations, bypassing Markdown sanitisation and enabling Stored XSS with session hijacking and sensitive data exposure.
Attack vector
Network, low complexity. Attacker supplies malicious content via LLM output or configuration that the renderer parses unsanitised.
Affected systems
LLM application versions ≤2.7.1. Fixed in 2.8.0.
Mitigation
Upgrade to 2.8.0+. Enforce strict CSP. Sanitise all user-controllable content before rendering.