CVE-2025-63708

Name of the Vulnerable Software and Affected Versions SourceCodester AI Font Matcher (nid=18425)

Description A Cross-Site Scripting (XSS) issue exists that enables remote attackers to execute arbitrary JavaScript in a user's browser. This occurs due to improper sanitization of font family names within the webfonts API handling mechanism. An attacker can intercept fetch requests to the webfonts endpoint and inject malicious JavaScript payloads through font family names. Successful exploitation could lead to session cookie theft, account hijacking, and unauthorized actions performed on behalf of authenticated users. The attack involves injecting a fetch hook that returns controlled font data containing malicious scripts.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.