CVE-2025-65368
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: MITRE

Description
SparkyFitness v0.15.8.2 is vulnerable to Cross Site Scripting (XSS) via user input and LLM output.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-14
NVD
CVE-2025-65368
EUVD
EUVD-2026-2708
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
codewithcj sparkyfitness to 0.15.8.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-65368 is a stored Cross-Site Scripting (XSS) vulnerability in SparkyFitness up to version 0.15.8.2. It occurs because user input and large language model (LLM) output are rendered directly into the web page's DOM using React's dangerouslySetInnerHTML without proper sanitization. This allows attackers to inject malicious JavaScript code into chat messages, which is then executed in the browsers of authenticated users viewing those messages. The attack can lead to session hijacking, forged chatbot messages, and unauthorized actions performed on behalf of the victim. [1]

Impact Analysis

This vulnerability can impact you by allowing remote attackers to execute arbitrary JavaScript in your browser when you view infected chat messages. This can result in session hijacking, theft of authentication tokens, forging of AI chatbot messages, and unauthorized API calls performed using your credentials. Essentially, attackers can impersonate you and perform actions without your consent, compromising your account and data security. [1]

Detection Guidance

Detection of this stored XSS vulnerability involves inspecting chat messages for malicious payloads, especially those containing HTML tags with event handlers like <img onerror=>. You can search the chat history database or logs for suspicious patterns such as <img onerror= or other script injection attempts. Additionally, monitoring HTTP requests for unusual fetch calls that exfiltrate tokens may help. Since the vulnerability involves React dangerouslySetInnerHTML rendering unsanitized input, reviewing frontend code or testing with payloads in a controlled environment can confirm the issue. Specific commands depend on your environment, but for example, using grep to find suspicious payloads in logs or database dumps: grep -i -E '<img onerror=|<script' chat_history.log [1]

Mitigation Strategies

Immediate mitigation steps include upgrading SparkyFitness to version v0.16.3 or later, where the vulnerability is fixed by sanitizing content with DOMPurify before rendering. If upgrading is not immediately possible, implement input sanitization on user inputs and LLM outputs to prevent script injection. Avoid using React's dangerouslySetInnerHTML with unsanitized content. Additionally, restrict user permissions to limit exposure, monitor chat messages for suspicious content, and educate users about the risk of interacting with untrusted messages. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65368. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart