CryptPad 跨站脚本漏洞

CryptPad is an open-source collaboration suite developed by CryptPad. Versions of CryptPad prior to 2026.2.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the HTML cleaner’s incomplete filtering of restricted tag attributes, allowing attackers to inject arbitrary...

CVE-2025-51846 CryptPad unbounded WebSocket frame flood

CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2...

CryptPad unbounded WebSocket frame flood

RISK EVALUATION CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. 2. RECOMMENDED PRACTICES Upgrade to 2026.2.2. 3. DESCRIPTION CryptPad 2025.3.1 allows unbounded WebSocket...

EUVD-2017-1374

Malware in sbrugna...

CVE-2025-49590

CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting XSS, however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which ...

CVE-2025-49591

CVE-2025-49591 (CryptPad 2FA bypass) affects CryptPad versions prior to 2025.3.0. The weakness is in access control enforcement for 2FA, where 2FA can be bypassed if the path parameter length is not 44 characters, enabling an attacker with user credentials to access the victim’s account without e...

CVE-2025-49591 CryptPad 2FA Bypass Vulnerability

CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication 2FA in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromises a user's credentials can gain access to the victim's account, even if the...

CVE-2025-49590 CryptPad Dom-Based Cross-Site Scripting (XSS) Vulnerability

CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting XSS, however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which ...

CVE-2025-49590

CryptPad (before version 2025.3.0) is affected by a Dom-Based XSS via the Link Bouncer feature, where an early-allow code path executes before the URI protocol is checked, allowing a maliciously crafted javascript: URI to bypass filtering. The issue has been patched in 2025.3.0. Affected componen...

PT-2025-26187 · Cryptpad · Cryptpad

Name of the Vulnerable Software and Affected Versions: CryptPad versions prior to 2025.3.0 Description: The issue concerns the "Link Bouncer" functionality in CryptPad, a collaboration suite, which attempts to filter javascript URIs to prevent Cross-Site Scripting XSS. However, this filtering can...

PT-2025-26188 · Cryptpad · Cryptpad

Name of the Vulnerable Software and Affected Versions: CryptPad versions prior to 2025.3.0 Description: The issue concerns a weak implementation of access controls in CryptPad, allowing an attacker who compromises a user's credentials to gain access to the victim's account, even if the victim has...