VYPR

Onlook

by Onlook

CVEs (3)

  • CVE-2025-63783Nov 7, 2025
    risk 0.00cvss epss 0.00

    A Broken Object Level Authorization (BOLA) vulnerability was discovered in the tRPC project mutation APIs (update, delete, add/remove tag) of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently…

  • CVE-2025-63785Nov 7, 2025
    risk 0.00cvss epss 0.00

    A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the text editor feature of the Onlook web application 0.2.32. This vulnerability occurs because user-supplied input is not properly sanitized before being directly injected into the DOM via innerHTML when editing a…

  • CVE-2025-63784Nov 7, 2025
    risk 0.00cvss epss 0.00

    An Open Redirect vulnerability exists in the OAuth callback handler in file onlook/apps/web/client/src/app/auth/callback/route.ts in Onlook web application 0.2.32. The vulnerability occurs because the application trusts the X-Forwarded-Host header value without proper validation…