CVE-2025-25461

Name of the Vulnerable Software and Affected Versions SeedDMS version 6.0.29

Description A Stored Cross-Site Scripting issue exists, allowing a user or rogue admin with the "Add Category" permission to inject a malicious payload into the category name field. When a document is associated with this category, the payload is stored on the server and rendered without proper sanitization, resulting in the payload executing in the browser of any user who views the document.

Recommendations For SeedDMS version 6.0.29, as a temporary workaround, consider restricting the "Add Category" permission to trusted users until a patch is available. Additionally, avoid using the category name field for any potentially malicious input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.