CVE-2025-63420

Name of the Vulnerable Software and Affected Versions CrushFTP version 11.3.7 50

Description A stored cross-site scripting (XSS) issue exists in the CrushFTP Admin Panel, specifically within the Reports / 'Who Created Folder' section. Authenticated attackers who have folder creation permissions can inject malicious HTML or JavaScript code. The vulnerability allows for the execution of arbitrary code within the context of other users' browsers.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict folder creation permissions to trusted users only.