Vulnerability Details CVE-2025-49590
CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 19.2%
CVSS Severity
CVSS v3 Score 6.1
References
Products affected by CVE-2025-49590
-
cpe:2.3:a:xwiki:cryptpad:0.2.0
-
cpe:2.3:a:xwiki:cryptpad:0.3.0
-
cpe:2.3:a:xwiki:cryptpad:1.0.0
-
cpe:2.3:a:xwiki:cryptpad:1.1.0
-
cpe:2.3:a:xwiki:cryptpad:1.1.1
-
cpe:2.3:a:xwiki:cryptpad:1.10.0
-
cpe:2.3:a:xwiki:cryptpad:1.10.1
-
cpe:2.3:a:xwiki:cryptpad:1.11.0
-
cpe:2.3:a:xwiki:cryptpad:1.12.0
-
cpe:2.3:a:xwiki:cryptpad:1.13.0
-
cpe:2.3:a:xwiki:cryptpad:1.14.0
-
cpe:2.3:a:xwiki:cryptpad:1.15.0
-
cpe:2.3:a:xwiki:cryptpad:1.16.0
-
cpe:2.3:a:xwiki:cryptpad:1.17.0
-
cpe:2.3:a:xwiki:cryptpad:1.18.0
-
cpe:2.3:a:xwiki:cryptpad:1.19.0
-
cpe:2.3:a:xwiki:cryptpad:1.2.0
-
cpe:2.3:a:xwiki:cryptpad:1.20.0
-
cpe:2.3:a:xwiki:cryptpad:1.21.0
-
cpe:2.3:a:xwiki:cryptpad:1.22.0
-
cpe:2.3:a:xwiki:cryptpad:1.23.0
-
cpe:2.3:a:xwiki:cryptpad:1.24.0
-
cpe:2.3:a:xwiki:cryptpad:1.25.0
-
cpe:2.3:a:xwiki:cryptpad:1.26.0
-
cpe:2.3:a:xwiki:cryptpad:1.27.0
-
cpe:2.3:a:xwiki:cryptpad:1.28.0
-
cpe:2.3:a:xwiki:cryptpad:1.29.0
-
cpe:2.3:a:xwiki:cryptpad:1.3.0
-
cpe:2.3:a:xwiki:cryptpad:1.4.0
-
cpe:2.3:a:xwiki:cryptpad:1.5.0
-
cpe:2.3:a:xwiki:cryptpad:1.6.0
-
cpe:2.3:a:xwiki:cryptpad:1.7.0
-
cpe:2.3:a:xwiki:cryptpad:1.8.0
-
cpe:2.3:a:xwiki:cryptpad:1.9.0
-
cpe:2.3:a:xwiki:cryptpad:2.0.0
-
cpe:2.3:a:xwiki:cryptpad:2.1.0
-
cpe:2.3:a:xwiki:cryptpad:2.1.1
-
cpe:2.3:a:xwiki:cryptpad:2.10.0
-
cpe:2.3:a:xwiki:cryptpad:2.11.0
-
cpe:2.3:a:xwiki:cryptpad:2.12.0
-
cpe:2.3:a:xwiki:cryptpad:2.13.0
-
cpe:2.3:a:xwiki:cryptpad:2.14.0
-
cpe:2.3:a:xwiki:cryptpad:2.15.0
-
cpe:2.3:a:xwiki:cryptpad:2.16.0
-
cpe:2.3:a:xwiki:cryptpad:2.17.0
-
cpe:2.3:a:xwiki:cryptpad:2.17.05
-
cpe:2.3:a:xwiki:cryptpad:2.17.06
-
cpe:2.3:a:xwiki:cryptpad:2.18.0
-
cpe:2.3:a:xwiki:cryptpad:2.19.0
-
cpe:2.3:a:xwiki:cryptpad:2.2.0
-
cpe:2.3:a:xwiki:cryptpad:2.20.0
-
cpe:2.3:a:xwiki:cryptpad:2.21.0
-
cpe:2.3:a:xwiki:cryptpad:2.22.0
-
cpe:2.3:a:xwiki:cryptpad:2.23.0
-
cpe:2.3:a:xwiki:cryptpad:2.24.0
-
cpe:2.3:a:xwiki:cryptpad:2.25.0
-
cpe:2.3:a:xwiki:cryptpad:2.3.0
-
cpe:2.3:a:xwiki:cryptpad:2.4.0
-
cpe:2.3:a:xwiki:cryptpad:2.5.0
-
cpe:2.3:a:xwiki:cryptpad:2.6.0
-
cpe:2.3:a:xwiki:cryptpad:2.7.0
-
cpe:2.3:a:xwiki:cryptpad:2.8.0
-
cpe:2.3:a:xwiki:cryptpad:2.9.0
-
cpe:2.3:a:xwiki:cryptpad:3.0.0
-
cpe:2.3:a:xwiki:cryptpad:3.0.1
-
cpe:2.3:a:xwiki:cryptpad:3.1.0