CVE-2025-58765

Name of the Vulnerable Software and Affected Versions: wabac.js versions 2.23.10 and below

Description: wabac.js provides a full web archive replay system using Service Workers. A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 404 error handling logic. The requestURL parameter, derived from the original request target, is directly embedded into an inline <script> block without sanitization or escaping, allowing an attacker to execute arbitrary JavaScript in the victim’s browser. The scope may be limited by CORS policies.

Recommendations: Update wabac.js to version 2.23.11 or later.