CVE-2025-56313

Name of the Vulnerable Software and Affected Versions JATOS versions 3.7.1 through 3.9.6

Description A Reflected Cross-Site Scripting (XSS) issue exists in JATOS. This allows remote attackers to execute arbitrary JavaScript in a user's web browser by including a malicious payload in the code URL parameter of the '/publix/run' API endpoint. When an authenticated admin user accesses the study’s URL, the malicious script is interpreted and executed within their browser, potentially leading to unauthorized actions, account compromise, and privilege escalation.

Recommendations Update JATOS to a version newer than 3.9.6.