cvedb.io
CVE-2025-49590
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2025-06-18T23:15:19.200 · Last modified 2026-06-17T09:31:32.890

Summary

CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.

Affected products

xwiki — cryptpad

Does this affect you?

Add your gear to cvedb and we'll alert you only when xwiki ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.