CVE-2025-56154

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-56154

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-56154.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-56154

Published

2025-10-02T16:15:34.773Z

Modified

2026-03-14T15:04:43.080828Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

htmly v3.0.8 is vulnerable to Cross Site Scripting (XSS) in the /author/:name endpoint of the affected application. The name parameter is not properly sanitized before being reflected in the HTML response, allowing attackers to inject arbitrary JavaScript payloads.

References

Affected packages

Git / github.com/danpros/htmly

Affected ranges

Type

GIT

Repo

https://github.com/danpros/htmly

Events

Introduced

Last affected

f6a8caa379d982da8adf38c98bdbfc942efc0704

Fixed

f3de94c0ff7633fb4d96bf01971962c7dfdf445b

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.0.8"
        }
    ]
}

Affected versions

v.*

v.2.8.6

v1.*

v1.0

v1.1

v1.5

v1.6

v1.7

v1.8

v1.9

v2.*

v2.0

v2.1

v2.2

v2.3

v2.4

v2.4.1

v2.5

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.5.9

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

v2.6.8

v2.6.9

v2.7.0

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.7.5

v2.7.6

v2.7.7

v2.7.8

v2.7.9

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.8.4

v2.8.5

v2.8.7

v2.8.8

v2.8.9

v2.9.0

v2.9.1

v2.9.2

v2.9.3

v2.9.4

v2.9.5

v2.9.6

v2.9.7

v2.9.8

v2.9.9

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-56154.json"