CVE-2025-53839 MEDIUM

CVE-2025-53839: DRACOON Branding Service vulnerable to Cross-site Scripting

Vendor Dracoon

Product security-advisories

Weakness CWE-79 · XSS

Published July 14, 2025

Last update July 15, 2025

View on NVD All CVEs

CVSS base score

4.0/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

DRACOON is a file sharing service, and the DRACOON Branding Service allows customers to customize their DRACOON interface with their brand. Versions of the DRACOON Branding Service prior to 2.10.0 are vulnerable to cross-site scripting. Improper neutralization of input from administrative users could inject HTML code into the workflow for newly onboarded users. A fix was made available in version 2.10.0 and rolled out to the DRACOON service. DRACOON customers do not need to take action.

Key dates

02Disclosure timeline

July 14, 2025 CVE published

July 15, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-53839 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2022-36020 Bypass of Cross-Site Scripting Protection in typo3/html-sanitizer CVE-2025-8303 XSS in EKA Software's Real Estate Script V5 (With Doping Module – Store Module – New Language System) CVE-2024-8696 A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2. CVE-2025-52788 WordPress CaptionPix <= 1.8 - Cross Site Scripting (XSS) Vulnerability CVE-2025-69011 WordPress Cool Tag Cloud plugin <= 2.29 - Cross Site Scripting (XSS) vulnerability