CryptPad is a collaboration suite. Prior to version 2025.3.0, the Link Bouncer functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an early allow code path that happens before the URIs protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.
The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.