CVE-2025-23110

Name of the Vulnerable Software and Affected Versions REDCap version 14.9.6

Description A Reflected cross-site scripting (XSS) vulnerability exists in the email-subject field when uploading a CSV file containing a list of alert configurations. An attacker can send a CSV file with the XSS payload in the email-subject to the victim. Once the victim uploads the file, they are directed to a page to view the uploaded data, and clicking on the email-subject value triggers the XSS payload.

Recommendations For REDCap version 14.9.6, consider disabling the upload of CSV files or restricting access to the email-subject field until a patch is available. As a temporary workaround, avoid clicking on email-subject values after uploading CSV files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.