PT-2025-26200 · Unknown · Openlist Frontend
Zyk2507
·
Published
2025-06-18
·
Updated
2025-06-19
·
CVE-2025-50183
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenList Frontend versions prior to 4.0.0-rc.4
Description
A stored XSS vulnerability exists in the file preview/browsing feature of the application. This occurs when files with a .py extension containing JavaScript code wrapped in
<script> tags are interpreted and executed as HTML in certain modes. An attacker can place such a .py file in the system via remote channels, and when a victim views the file in browsing mode, the JavaScript is executed in the browser context. This may allow access to user information, including cookies, login state, and localStorage.Recommendations
- For versions prior to 4.0.0-rc.4, treat all previewed file types as plain text unless explicitly sanitized.
- For versions prior to 4.0.0-rc.4, disable rendering modes that can interpret user-uploaded content as HTML.
- Update to version 4.0.0-rc.4 or later to patch the vulnerability.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openlist Frontend