What is the CVSS score of EUVD-2025-201320?

EUVD-2025-201320 has a CVSS 3.1 base score of 6.1 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.1%.

Which versions of Monkeytype are affected by EUVD-2025-201320?

Organizations using Monkeytype should be aware of moderate risk from CVE-2025-66563, a cross-site scripting vulnerability rated CVSS 6.1.. A patch is available.

Is there a public PoC exploit available for EUVD-2025-201320?

Yes, a public proof-of-concept exploit is available for EUVD-2025-201320. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate EUVD-2025-201320?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Monkeytype EUVD-2025-201320

| CVE-2025-66563 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2025-12-04 security-advisories@github.com

XSS Monkeytype

6.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.1 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 16:35 euvd

EUVD-2025-201320

Analysis Generated

Mar 15, 2026 - 16:35 vuln.today

Patch released

Mar 15, 2026 - 16:35 nvd

Patch available

PoC Detected

Dec 17, 2025 - 16:12 vuln.today

Public exploit code

CVE Published

Dec 04, 2025 - 23:15 nvd

MEDIUM 6.1

DescriptionGitHub Advisory

Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags).

Analysis

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

A vendor patch is available — apply it immediately. Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

EUVD-2025-201320 vulnerability details – vuln.today

Back