{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-63260", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-23T14:08:45.384Z", "dateReserved": "2025-10-27T00:00:00.000Z", "datePublished": "2026-03-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-20T19:53:21.306Z"}, "descriptions": [{"lang": "en", "value": "SyncFusion 30.1.37 is vulnerable to Cross Site Scripting (XSS) via the Document-Editor reply to comment field and Chat-UI Chat message."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://syncfusion.com"}, {"url": "https://pentest-tools.com/PTT-2025-023-Multiple-Stored-XSS.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T14:08:20.433189Z", "id": "CVE-2025-63260", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:08:45.384Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-63260", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T14:08:20.433189Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:08:42.505Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://syncfusion.com"}, {"url": "https://pentest-tools.com/PTT-2025-023-Multiple-Stored-XSS.pdf"}], "descriptions": [{"lang": "en", "value": "SyncFusion 30.1.37 is vulnerable to Cross Site Scripting (XSS) via the Document-Editor reply to comment field and Chat-UI Chat message."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-20T19:53:21.306Z"}}}, "cveMetadata": {"cveId": "CVE-2025-63260", "state": "PUBLISHED", "dateUpdated": "2026-03-23T14:08:45.384Z", "dateReserved": "2025-10-27T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:syncfusion:syncfusion:30.1.37:*:*:*:*:*:*:*", "matchCriteriaId": "F055B5B6-09A5-46EA-85F7-B925AAE3E220", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SyncFusion 30.1.37 is vulnerable to Cross Site Scripting (XSS) via the Document-Editor reply to comment field and Chat-UI Chat message."}, {"lang": "es", "value": "SyncFusion 30.1.37 es vulnerable a Cross Site Scripting (XSS) a trav\u00e9s del campo de respuesta a comentarios del Editor de Documentos y el mensaje de chat de la interfaz de usuario de chat."}], "id": "CVE-2025-63260", "lastModified": "2026-04-14T19:26:57.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-20T20:16:47.087", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "http://syncfusion.com"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://pentest-tools.com/PTT-2025-023-Multiple-Stored-XSS.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "30.1.37"}}], "enrichment": {"confidence": 85.0, "confidence_source": "inferred", "scores": [{"score": 85.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "syncfusion", "vendor": "syncfusion"}], "analysis": {"en": {"generated_at": "2026-04-14T21:11:44.115904+00:00", "value": {"mitigation_remediation": ["Update SyncFusion Document Editor to a version newer than 30.1.37", "If an update is not immediately possible, restrict unauthenticated or privileged access to the comment and chat features", "Implement content\u2011security policies or input validation to neutralize malicious scripts", "Monitor application logs for abnormal comment or chat entries that may indicate tampering"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The affected product is SyncFusion Document Editor version 30.1.37. No other versions or products are listed as impacted.", "description_and_impact": "SyncFusion Document Editor 30.1.37 contains a stored cross\u2011site scripting flaw that allows malicious code to be inserted through the comment reply field and the chat message interface. If an attacker successfully injects script, it will be executed in the browser of any user who views the affected document or chat, potentially stealing session tokens, defacing pages, or executing further attacks. The vulnerability fundamentally compromises the integrity of the user interface and the confidentiality of user data.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate severity, while the EPSS score of less than 1% suggests low current exploit probability. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog, implying no publicly known widespread exploitation. Exploitation requires access to the application\u2019s comment or chat features, and the attacker must deliver malicious payload via those input fields. No active exploit proof of concept is referenced in the available data."}}}}, "created": "2026-03-23T09:54:15.421375+00:00", "updated": "2026-04-15T16:45:09.823234+00:00", "vendors": ["syncfusion", "syncfusion$PRODUCT$syncfusion"]}