Listen to this Post
How the CVE Works:
CVE-2025-29746 is a stored Cross-Site Scripting (XSS) vulnerability in Koillection v1.6.10. An attacker injects malicious JavaScript payloads into user-input fields such as collection names, wishlists, or album descriptions. When other users view these entries, the script executes in their browser, potentially hijacking sessions, defacing pages, or escalating privileges. The vulnerability arises due to insufficient input sanitization in the application’s frontend rendering.
DailyCVE Form:
Platform: Koillection
Version: 1.6.10
Vulnerability: Stored XSS
Severity: Medium
Date: 2025-06-16
Prediction: Patch by 2025-08-15
What Undercode Say:
Analytics:
grep -r "unsanitized_input" /var/www/koillection/ curl -X POST -d "<script>alert(1)</script>" http://target/collection/add
How Exploit:
1. Attacker submits malicious script via collection/wishlist field.
2. Script stored in database.
3. Victim loads infected page; script executes.
Protection from this CVE:
- Sanitize user inputs with
htmlspecialchars(). - Implement Content Security Policy (CSP).
- Update to patched version post-release.
Impact:
- Session hijacking
- Unauthorized actions
- Data theft
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
