CVE-2025-31476

Name of the Vulnerable Software and Affected Versions tarteaucitron.js versions prior to 1.20.1

Description A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges to enter a URL containing an insecure scheme, such as javascript:alert(). Insufficient URL validation could allow arbitrary JavaScript execution if a user clicked on a malicious link. An attacker with high privileges could insert a link exploiting an insecure URL scheme, leading to execution of arbitrary JavaScript code, theft of sensitive data through phishing attacks, or modification of the user interface behavior.

Recommendations For versions prior to 1.20.1, update to version 1.20.1 to fix the vulnerability. As a temporary workaround, consider restricting access to the URL validation function to minimize the risk of exploitation. Avoid using insecure URL schemes in links until the issue is resolved.