CVE-2025-14202

HIGH EPSS 16.8%

Published Dec 18, 20256mo ago · Modified Jun 17, 20261w ago

8.2 CVSS 4.0

High

Published Dec 18, 2025 6mo ago

Last Modified Jun 17, 2026 1w ago

Description

A vulnerability in the file upload at bookmark + asset rendering pipeline allows an attacker to upload a malicious SVG file with JavaScript content. When an authenticated admin user views the SVG file with embedded JavaScript code of shared bookmark, JavaScript executes in the admin’s browser, retrieves the CSRF token, and sends a request to change the admin's password resulting in a full account takeover.

CVSS Details

Base Score

8.2

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction A

Scope X

Threat Intelligence

EPSS Exploit Probability

16.8% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

References 1

cve.org https://www.cve.org/cverecord?id=CVE-2025-14202

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.