EUVD-2025-18910
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5Description
CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.
Analysis
CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.
Technical Context
Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.
Affected Products
Affected products: Xwiki Cryptpad
Remediation
A vendor patch is available — apply it immediately. Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today