CVE Vulnerabilities

CVE-2025-49590

Incomplete Denylist to Cross-Site Scripting

Published: Jun 18, 2025 | Modified: Aug 11, 2025
CVSS 3.x
6.1
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

CryptPad is a collaboration suite. Prior to version 2025.3.0, the Link Bouncer functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an early allow code path that happens before the URIs protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.

Weakness

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

Affected Software

Name Vendor Start Version End Version
Cryptpad Xwiki * 2025.3.0 (excluding)

References