Unknown · Calibre-Web · CVE-2025-65858
**Name of the Vulnerable Software and Affected Versions**
Calibre-Web version 0.6.25
**Description**
A Stored Cross-Site Scripting (XSS) issue exists in Calibre-Web. An attacker can inject malicious JavaScript into the `username` field during user creation. The injected payload is stored without proper sanitization and is executed when the `/ajax/listusers` endpoint is accessed.
**Recommendations**
Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize user input for the `username` field during user creation. Restrict access to the `/ajax/listusers` endpoint to minimize the risk of exploitation.