CVE-2025-63260
Cross-Site Scripting in SyncFusion Document Editor and Chat UI
Publication date: 2026-03-20
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| syncfusion | syncfusion | 30.1.37 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2025-63260 vulnerability is a Stored Cross-Site Scripting (XSS) issue found in Syncfusion version 30.1.37. It affects two main components: the Document-Editor reply to comment field and the Chat-UI chat message feature.
In the Document-Editor, while the original comment fields sanitize inputs, the reply to a comment does not properly sanitize user input, allowing attackers to inject malicious scripts that execute when the reply is viewed.
In the Chat-UI, chat messages are not sanitized, enabling attackers to send messages containing malicious HTML or scripts that execute when displayed to chat participants.
These vulnerabilities allow attackers to inject and execute arbitrary scripts in the context of the affected web applications.
How can this vulnerability impact me? :
This vulnerability can impact users and organizations by allowing attackers to execute malicious scripts within Syncfusion-powered web applications.
- Compromise of user sessions, potentially leading to unauthorized access.
- The theft or manipulation of sensitive data displayed or stored in the affected applications.
- Potential disruption of application functionality or user experience through injected scripts.
The severity of impact depends on the specific data and functionalities of the affected web applications, with the internal Syncfusion security team rating it as High severity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by testing the affected Syncfusion components for stored Cross-Site Scripting (XSS) in the Document-Editor reply to comment field and the Chat-UI chat message input.
Specifically, you can attempt to inject typical XSS payloads such as <img onerror=alert(1) src> into the reply to comments or chat messages and observe if the payload executes when rendered.
For detection on your system, you can use web application security testing tools or manual testing by accessing the relevant Syncfusion document editor and chat UI components and submitting crafted inputs.
There are no specific commands provided in the resources, but using browser developer tools to inspect the rendering of replies and chat messages after injecting test payloads can help confirm the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user inputs in the reply to comment fields and chat message inputs to prevent malicious scripts from being stored and executed.
If you are using Syncfusion version 30.1.37, consider upgrading to a patched version once available or applying any official patches or workarounds provided by Syncfusion.
In the meantime, restrict or monitor user inputs in affected components and consider implementing Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks.