CVE-2025-65858

Name of the Vulnerable Software and Affected Versions Calibre-Web version 0.6.25

Description A Stored Cross-Site Scripting (XSS) issue exists in Calibre-Web. An attacker can inject malicious JavaScript into the username field during user creation. The injected payload is stored without proper sanitization and is executed when the /ajax/listusers endpoint is accessed.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize user input for the username field during user creation. Restrict access to the /ajax/listusers endpoint to minimize the risk of exploitation.