CVE-2025-58172

Name of the Vulnerable Software and Affected Versions drawnix versions through 0.2.1

Description drawnix is an all-in-one open-source whiteboard tool. A cross-site scripting (XSS) issue exists in the debug logging functionality. User-controlled content is inserted directly into the DOM via innerHTML without sanitization when the global function drawnix web console is invoked. Specifically, in apps/web/src/app/app.tsx, div.innerHTML = value is executed. This can allow arbitrary JavaScript execution in the context of the application if an attacker can cause untrusted data to be passed to the debug logger, potentially exposing user data or enabling unauthorized actions.

Recommendations Update to version 0.3.0 or later.