Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2025-49590

Incomplete Denylist to Cross-Site Scripting

Published: Jun 18, 2025 | Modified: Aug 11, 2025
CVSS 3.x
6.1
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
Vulnerability-free packages from our partners
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2025-49590
CWEhttps://cwe.mitre.org/data/definitions/692.html

CryptPad is a collaboration suite. Prior to version 2025.3.0, the Link Bouncer functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an early allow code path that happens before the URIs protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.

Weakness

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

Affected Software

Name Vendor Start Version End Version
Cryptpad Xwiki * 2025.3.0 (excluding)

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use