CVE-2025-49590

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-49590

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49590.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-49590

Aliases

GHSA-vq9h-x3gr-v8rj

Published

2025-06-18T22:14:06.323Z

Modified

2026-04-10T05:30:37.385364Z

Severity

2.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:P CVSS Calculator

Summary

CryptPad Dom-Based Cross-Site Scripting (XSS) Vulnerability

Details

CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-692"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49590.json"
}

References

Affected packages

Git / github.com/cryptpad/cryptpad

Affected ranges

Type: GIT
Repo: https://github.com/cryptpad/cryptpad
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

52a4d926d902eb4f667cab49b14875174373ef80

Affected versions

0.*

0.2.0

0.3.0

1.*

1.1.0

1.1.1

1.11.0

1.12.0

1.18.0

1.2.0

1.20.0

1.21.0

1.22.0

1.23.0

1.24.0

1.3.0

1.4.0

1.8.0

1.9.0

2.*

2.17.0

2.17.05

2.17.06

2.19.0

2.21.0

2.22.0

2024.*

2024.3.0

2024.3.1

2024.6.0

3.*

3.10.0

3.14.0

3.15.0

3.18.0

3.18.1

3.20.1

3.23.0

3.23.1

3.23.2

3.3.0

3.7.0

3.8.0

3.9.0

4.*

4.4.0

4.5.0

4.6.0

4.7.0

4.8.0

5.*

5.2.0

5.2.1

5.3.0

5.4.0

5.5.0

5.6.0

5.7.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49590.json"

Git / github.com/xwiki-labs/cryptpad