CVE-2025-51846
- EPSS 0.58%
- Veröffentlicht 30.04.2026 16:35:59
- Zuletzt bearbeitet 04.05.2026 16:52:11
CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.
CVE-2025-49591
- EPSS 0.44%
- Veröffentlicht 18.06.2025 22:15:16
- Zuletzt bearbeitet 11.08.2025 18:20:31
CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication (2FA) in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromises a user's credentials can g...
CVE-2025-49590
- EPSS 0.28%
- Veröffentlicht 18.06.2025 22:14:06
- Zuletzt bearbeitet 11.08.2025 18:18:19
CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens be...
CVE-2019-15302
- EPSS 1.36%
- Veröffentlicht 11.09.2019 21:15:11
- Zuletzt bearbeitet 21.11.2024 04:28:25
The pad management logic in XWiki labs CryptPad before 3.0.0 allows a remote attacker (who has access to a Rich Text pad with editing rights for the URL) to corrupt it (i.e., cause data loss) via a trivial URL modification.
CVE-2017-1000051
- EPSS 1.16%
- Veröffentlicht 17.07.2017 13:18:17
- Zuletzt bearbeitet 13.05.2026 00:24:29
Cross-site scripting (XSS) vulnerability in pad export in XWiki labs CryptPad before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the pad content