What the vulnerability does
01Description
All versions of the package react-draft-wysiwyg are vulnerable to Cross-site Scripting (XSS) via the Embedded button which will then result in saving the payload in the <iframe> tag.
CVSS base score
6.1/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P
Key dates
02Disclosure timeline
April 4, 2025
CVE published
April 4, 2025
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2024-5624 Reflected Cross-Site Scripting (XSS) in Shift Logbook application of B&R APROL
CVE-2024-50348 InstantCMS has a Cross Site Scripting Vulnerability
CVE-2026-0737 Shortcodes Ultimate <= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'su_lightbox' Shortcode
CVE-2025-54806
CVE-2026-3716 Wavlink WL-WN579X3-C adm.cgi sub_401AD4 cross site scripting
