CVE-2025-3191

Name of the Vulnerable Software and Affected Versions react-draft-wysiwyg versions 3.1 and earlier

Description The issue is related to Cross-site Scripting (XSS) via the Embedded button, which results in saving the payload in the iframe tag. This allows attackers to exploit the vulnerability.

Recommendations For react-draft-wysiwyg version 3.1 and earlier, consider disabling the Embedded button as a temporary workaround until a patch is available. Restrict access to the iframe tag to minimize the risk of exploitation. Avoid using the Embedded button in the affected package until the issue is resolved.