Khanhduy155

**Name of the Vulnerable Software and Affected Versions** Calibre-Web version 0.6.25 **Description** A Stored Cross-Site Scripting (XSS) issue exists in Calibre-Web. An attacker can inject malicious JavaScript into the `username` field during user creation. The injected payload is stored without proper sanitization and is executed when the `/ajax/listusers` endpoint is accessed. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize user input for the `username` field during user creation. Restrict access to the `/ajax/listusers` endpoint to minimize the risk of exploitation.