CVE-2025-46654

Name of the Vulnerable Software and Affected Versions CodiMD versions 2.2.0 and earlier

Description The issue concerns a bypass of the Content Security Policy (CSP) protection mechanism against Cross-Site Scripting (XSS) attacks. This can be achieved by uploading a .html file that references an uploaded .js file, thus allowing the execution of malicious JavaScript content.

Recommendations For versions 2.2.0 and earlier, as a temporary workaround, consider restricting the upload of .html and .js files to minimize the risk of exploitation. Additionally, restrict access to the file upload feature to authorized users only. At the moment, there is no information about a newer version that contains a fix for this vulnerability.