Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
Skrol29 TbsZip: Malicious code can be injected via filename
CVE-2025-65465
Summary
An older version of Skrol29 TbsZip doesn't properly check user input, allowing attackers to inject malicious code into the application. This could potentially allow an attacker to execute unauthorized actions on your website. Update to version 2.18 to fix this issue.
Original title
A reflected Cross-Site Scripting (XSS) vulnerability in the RaiseError function of Skrol29 TbsZip version 2.17 and earlier allows remote attackers to execute arbitrary web script or HTML via a craf...
Original description
A reflected Cross-Site Scripting (XSS) vulnerability in the RaiseError function of Skrol29 TbsZip version 2.17 and earlier allows remote attackers to execute arbitrary web script or HTML via a crafted payload in a filename parameter (e.g., to the FileRead function). This occurs because the error message is not properly sanitized before being output to the user. This vulnerability is fixed in version 2.18.
nvd CVSS3.1
6.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026