Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
User Input is Not Properly Encoded in Authentication Page
CVE-2025-6024
Summary
An attacker can inject malicious scripts into the authentication page, potentially redirecting users to fake sites, manipulating the page, or stealing information. This does not allow hackers to steal your users' session cookies, but it's still a serious security risk. You should update the software to fix this issue as soon as possible.
Original title
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection.
An attacker can leverage this by injecting malicious scripts into...
Original description
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection.
An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.
An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.
nvd CVSS3.1
6.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026