CVE-2025-58070
Description
Pleasanter contains a stored cross-site scripting vulnerability in Preview for Attachments, which allows an attacker to execute an arbitrary script in a logged-in user's web browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Pleasanter's Preview for Attachments lets logged-in users execute arbitrary scripts via malicious HTML files.
Pleasanter contains a stored cross-site scripting (XSS) vulnerability in the Preview for Attachments feature (CWE-79). An attacker who is a logged-in user can upload an HTML file containing malicious scripts to an attachment field. When another logged-in user views the attachment preview, the script executes in their browser [1][2].
Exploitation requires the attacker to have a valid user account and the victim to preview the uploaded attachment. The vulnerability also exists in other fields: Body, Description, and Comments, where scripts can be injected using special notations. Anonymous users cannot exploit this vulnerability directly [1].
Successful exploitation allows an attacker to execute arbitrary scripts in the victim's browser, potentially leading to data theft, data tampering, or redirection to external malicious sites [1][2].
The developer has released version 1.4.21.0 which fixes these vulnerabilities. Users are advised to update immediately [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.