CVE-2025-11945

LOW EPSS 21.2%

Published Oct 19, 20258mo ago · Modified Jun 17, 20261w ago

2.0 CVSS 4.0

Low

Published Oct 19, 2025 8mo ago

Last Modified Jun 17, 2026 1w ago

Description

A vulnerability was identified in toeverything AFFiNE up to 0.24.1. This vulnerability affects unknown code of the component Avatar Upload Image Endpoint. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

Base Score

2.0

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction P

Scope X

Threat Intelligence

EPSS Exploit Probability

21.2% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-79 Cross-site Scripting Injection

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

References 4

drive.google.com https://drive.google.com/file/d/1L6gX0GY8cE9rS6o50oJzuMRPVMerFQNS
vuldb.com https://vuldb.com/?ctiid.329025
vuldb.com https://vuldb.com/?id.329025
vuldb.com https://vuldb.com/?submit.670888

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.