CVE-2025-42620

Name of the Vulnerable Software and Affected Versions Vulnerability-Lookup versions prior to 2.18.0

Description The software does not handle user-controlled content in comments and bundles securely, potentially leading to stored Cross-Site Scripting (XSS). The related vulnerabilities field within bundles accepts arbitrary strings without validation or sanitization. Comment and bundle descriptions are converted from Markdown to HTML and then directly injected into the Document Object Model (DOM) using string templates and innerHTML. This allows an attacker who can create or edit comments or bundles to store malicious HTML/JavaScript payloads that execute in the browser of any user visiting the affected profile page (user.html).

Recommendations Versions prior to 2.18.0 should be updated to version 2.18.0 or later.