Cryptpad
Monthly
Remote denial-of-service in CryptPad 2025.3.1 allows unauthenticated attackers to flood WebSocket frames and degrade or deny service for all users of an instance. The vulnerability stems from unbounded WebSocket connection handling without rate limiting. Fixed in version 2026.2.2 via nginx rate limiting configuration (30 requests/minute with burst=5). CVSS 8.7 (High) reflects network-accessible, low-complexity attack requiring no authentication. No CISA KEV listing or public exploit identified at time of analysis, but low technical barrier suggests high exploitability.
CryptPad versions prior to 2025.3.0 contain a critical authentication bypass vulnerability that allows attackers to circumvent Two-Factor Authentication (2FA) enforcement through a trivial path parameter manipulation. An attacker who obtains valid user credentials can bypass 2FA protection by URL-encoding a single character in the access path, gaining full account access without the second authentication factor. The vulnerability has a CVSS score of 9.1 (Critical) and requires no special privileges or user interaction to exploit.
CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.
Remote denial-of-service in CryptPad 2025.3.1 allows unauthenticated attackers to flood WebSocket frames and degrade or deny service for all users of an instance. The vulnerability stems from unbounded WebSocket connection handling without rate limiting. Fixed in version 2026.2.2 via nginx rate limiting configuration (30 requests/minute with burst=5). CVSS 8.7 (High) reflects network-accessible, low-complexity attack requiring no authentication. No CISA KEV listing or public exploit identified at time of analysis, but low technical barrier suggests high exploitability.
CryptPad versions prior to 2025.3.0 contain a critical authentication bypass vulnerability that allows attackers to circumvent Two-Factor Authentication (2FA) enforcement through a trivial path parameter manipulation. An attacker who obtains valid user credentials can bypass 2FA protection by URL-encoding a single character in the access path, gaining full account access without the second authentication factor. The vulnerability has a CVSS score of 9.1 (Critical) and requires no special privileges or user interaction to exploit.
CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.