CVE-2025-1076 MEDIUM

CVE-2025-1076: Stored Cross-Site Scripting vulnerability in Holded

Vendor Holded

Product Holded

Weakness CWE-79 · XSS

Published February 6, 2025

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

A Stored Cross-Site Scripting (Stored XSS) vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable ‘name’ and ‘icon’ parameters of the Activities functionality.

Key dates

02Disclosure timeline

February 6, 2025 CVE published

February 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-1076 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2026-6439 VideoZen <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'VideoZen available subtitles languages' Field CVE-2026-11443 Allegra downloadAttachment Cross-Site Scripting Authentication Bypass Vulnerability CVE-2023-30780 WordPress User IP and Location Plugin <= 2.2 is vulnerable to Cross Site Scripting (XSS) CVE-2024-3766 slowlyo OwlAdmin Image File Upload upload_image cross site scripting CVE-2021-36737 XSS in V3 Demo Portlet