CVE-2025-29746
Description
Koillection 1.6.10 contains stored and reflected XSS vulnerabilities in collections, wishlists, and albums that can lead to privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Koillection 1.6.10 contains stored and reflected XSS vulnerabilities in collections, wishlists, and albums that can lead to privilege escalation.
Vulnerability
Analysis
CVE-2025-29746 describes a Cross-Site Scripting (XSS) vulnerability found in Koillection v1.6.10. The issue affects the collection, wishlist, and album components, where user input in text fields and list elements is not properly sanitized before being stored or reflected back to users [1][4].
Attack
Vector
Attackers can exploit stored XSS by injecting malicious JavaScript into text fields when creating or editing a collection or an item within a collection. Reflected XSS vectors exist in wishlist and album creation/editing flows, though these are limited to the author's own session. The common payload used during testing was `` [4].
Impact
Successful exploitation allows a remote attacker to execute arbitrary JavaScript in the context of the victim's browser. While the session cookie has the HttpOnly flag set (preventing straightforward cookie theft), the attacker could still redirect users to malicious sites or perform actions on behalf of the victim, potentially leading to privilege escalation within the application [4].
Mitigation
The vulnerability has been addressed in subsequent releases. Koillection v1.6.11 and v1.6.12 contain security fixes that sanitize the vulnerable input fields, and users are strongly advised to upgrade to one of these patched versions [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
koillection/koillectionPackagist | < 1.6.12 | 1.6.12 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of user-controllable input in text fields of Collection, Wishlist, and Album sections allows stored and reflected cross-site scripting."
Attack vector
An attacker can inject a JavaScript payload such as `
Affected code
The vulnerability exists in the Collection, Wishlist, and Album sections of Koillection 1.6.10. The text input fields used when creating or editing collections, wishlists, and albums do not sanitize user-supplied content [ref_id=1].
What the fix does
The advisory states that version 1.6.11 fixes the issue [ref_id=1]. No patch diff is provided in the bundle, but the fix would involve properly neutralizing or escaping user-controllable input before it is rendered as a web page, preventing script execution in the Collection, Wishlist, and Album sections.
Preconditions
- authAttacker must have access to create or edit a collection, wishlist, or album in Koillection
- networkNo special network position required beyond normal web access to the application
- inputAttacker supplies a malicious XSS payload in a text input field
Reproduction
To reproduce Stored XSS in Collections: create or edit a collection and enter `
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-fxvx-gfmr-5xfjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-29746ghsaADVISORY
- gist.github.com/unklerunkle/73e2ab58d1a5b9129be5de55765ea4feghsaWEB
- github.com/benjaminjonard/koillection/issues/1329ghsaWEB
- github.com/benjaminjonard/koillection/releases/tag/1.6.11ghsaWEB
- github.com/benjaminjonard/koillection/releases/tag/1.6.12ghsaWEB
News mentions
0No linked articles in our index yet.