Олег Сурнин (Positive Technologies)

**Name of the Vulnerable Software and Affected Versions** PT-2025-138: Server-Side Prototype Pollution in Foundry Virtual Tabletop **Description** A vulnerability has been identified in Foundry Virtual Tabletop affecting version 13.350. The discovered vulnerability can be exploited by an attacker to inject arbitrary properties into the global object prototype of the Foundry Virtual Tabletop (FVT) server through unsafe recursive merge operations on user input. This allows the attacker to modify the base prototype of JavaScript objects, which subsequently leads to various types of attacks: denial of service (DoS) through infinite recursion, authentication bypass, and other potential threats. Vulnerability status: Confirmed by the vendor. Vulnerability fix date: 11/12/2025. **Recommendations** Update to version 13.351 or higher.

**Name of the Vulnerable Software and Affected Versions** PT-2025-139: Stored Cross-Site Scripting (Stored XSS) in Foundry Virtual Tabletop **Description** A vulnerability has been identified in Foundry Virtual Tabletop affecting version 13.350. The discovered vulnerability can be exploited by an attacker to inject malicious JavaScript code into the client side of Foundry Virtual Tabletop (FVT) through unsafe handling of user input during rendering. When generating HTML templates or dynamic content, the server/client directly inserts the received data without proper sanitization, allowing the attacker to execute arbitrary scripts in the context of the victim's browser. Vulnerability status: Confirmed by the vendor. Vulnerability fix date: 11/12/2025. **Recommendations** Update to version 13.351 or higher.