CVE-2025-69517

Name of the Vulnerable Software and Affected Versions Amidaware Inc Tactical RMM versions 1.3.1 and earlier

Description An HTML injection issue in Tactical RMM allows authenticated users to inject arbitrary HTML content when creating a new agent via the /api/v3/newagent/ API endpoint. The agent id parameter, which accepts up to 255 characters, is not properly sanitized using DOMPurify.sanitize() with the html: true option, resulting in inadequate filtering of HTML input. This injected HTML is rendered within the Tactical RMM management panel when an administrator attempts to remove or shut down the affected agent, potentially enabling client-side attacks like UI manipulation or phishing. The DOMPurify.sanitize() function is used for sanitization.

Recommendations Versions prior to 1.3.1 should be updated.