Critical severity9.3NVD Advisory· Published Sep 4, 2025· Updated Apr 15, 2026
CVE-2025-58361
CVE-2025-58361
Description
Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions contain an non-exhaustive URL scheme check that does not protect against XSS. User-controlled URLs pass through src/utils/validation.ts, but the check only strips javascript: and a few patterns. data: URLs (for example data:image/svg+xml,…) still pass. If a sanitized value is used in href/src, an attacker can execute a script. There is currently no fix for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=0.0.0 (all versions)
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.