2025-06-18 22:14:06
GitHub_M
PUBLISHED
CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URIs protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.