Description

CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.

INFO

Published Date :

2025-06-18T22:14:06.323Z

Last Modified :

2025-06-23T16:41:36.205Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-49590 vulnerability.

Vendors Products
Xwiki
  • Cryptpad
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-49590.

URL Resource
https://github.com/cryptpad/cryptpad/blob/15c81aa8ccb737a9a1167481f4a699af331364bb/www/bounce/main.js#L64-L95 cve-icon cve-icon
https://github.com/cryptpad/cryptpad/commit/d5e4830ba104a4a442cb23aab5378b8565a95607 cve-icon cve-icon
https://github.com/cryptpad/cryptpad/security/advisories/GHSA-vq9h-x3gr-v8rj cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact