CVE-2025-70845

Vulnerability

Overview

CVE-2025-70845 is a stored Cross-Site Scripting (XSS) vulnerability in aidigu version 1.9.1. The issue tracker software. The flaw resides in the /setting/ page, where the "intro" field fails to properly sanitize or escape user-supplied input [1]. This allows an attacker to inject arbitrary JavaScript or HTML that is stored on the server and later executed in the browsers of other users viewing the affected page.

Exploitation and

Attack Surface

To exploit this vulnerability, an attacker must have access to the settings page, which typically requires authenticated access as a user with permission to modify the application's introduction or profile text. The attacker submits crafted payloads into the "intro" field. No special network position is required beyond normal web access to the application [1]. The stored script will then execute whenever any user navigates to the settings page, making it a persistent threat.

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser session. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as cookies or authentication tokens. The impact is limited by the fact that the attacker must first have an account with sufficient privileges to modify the settings [1].

Mitigation

The vulnerability has been fixed in a subsequent release of aidigu. Users are strongly advised to upgrade to the latest version. No workaround is provided. The issue was discovered and reported by J4cky1028 in February 2026 [1].