CVE-2025-67438

Publication date

2026-02-20 00:00:00

Family

mitre

State

PUBLISHED

Description

A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victims browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the users session cookies.