CVE-2025-66563 HIGH

CVE-2025-66563: Monkeytype vulnerable to stored XSS in approve quotes page

Vendor Monkeytypegame
Product monkeytype
Weakness CWE-79 · XSS
Published December 4, 2025
Last update December 5, 2025

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags).

Key dates

02Disclosure timeline

December 4, 2025 CVE published
December 5, 2025 Record updated

Related vulnerabilities

04Related CVE