VYPR
Unrated severityNVD Advisory· Published Jun 18, 2025· Updated Jun 23, 2025

CryptPad Dom-Based Cross-Site Scripting (XSS) Vulnerability

CVE-2025-49590

Description

CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Cryptpad/Cryptpadllm-fuzzy2 versions
    <2025.3.0+ 1 more
    • (no CPE)range: <2025.3.0
    • (no CPE)range: < 2025.3.0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.