Moderate severityNVD Advisory· Published Feb 20, 2026· Updated Feb 23, 2026
CVE-2025-67438
CVE-2025-67438
Description
A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the user's session cookies.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@sync-in/servernpm | < 1.9.3 | 1.9.3 |
Affected products
2- Sync-in/Sync-in Serverdescription
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.