CVE-2025-8848

Source
https://cve.org/CVERecord?id=CVE-2025-8848
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-8848.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-8848
Published
2025-10-22T13:54:00.389Z
Modified
2026-07-15T01:49:14.662847468Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
HTML Injection in Accept-Language Header in danny-avila/librechat
Details

A vulnerability in danny-avila/librechat version 0.7.9 allows for HTML injection via the Accept-Language header. When a logged-in user sends an HTTP GET request with a crafted Accept-Language header, arbitrary HTML can be injected into the <html lang=""> tag of the response. This can lead to potential security risks such as cross-site scripting (XSS) attacks.

Database specific
{
    "cwe_ids": [
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/8xxx/CVE-2025-8848.json",
    "cna_assigner": "@huntr_ai"
}
References

Affected packages

Git / github.com/danny-avila/librechat

Affected ranges

Type
GIT
Repo
https://github.com/danny-avila/librechat
Events
Database specific
{
    "cpe": "cpe:2.3:a:librechat:librechat:0.7.9:-:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.7.9-NA"
        },
        {
            "last_affected": "0.7.9-NA"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

0.*
0.7.9-NA
librechat-1.*
librechat-1.8.9
v0.*
v0.7.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-8848.json"