Security Advisory
CVE-2025-49590
CVE vulnerability detail — eXtreme Datacenter Security Operations
Description
CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URIs protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.