CVE-2025-58361

Name of the Vulnerable Software and Affected Versions Promptcraft Forge Studio (affected versions not specified)

Description Promptcraft Forge Studio, a toolkit for evaluating, optimizing, and maintaining LLM-powered applications, contains an incomplete URL scheme check that does not prevent cross-site scripting (XSS). User-controlled URLs are processed through src/utils/validation.ts, but the validation only removes javascript: and a limited set of patterns. data: URLs, such as data:image/svg+xml,…, are not blocked. If a sanitized value is used in href or src attributes, an attacker can execute a script.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.