CVE-2025-63260
Received Received - Intake
Cross-Site Scripting in SyncFusion Document Editor and Chat UI

Publication date: 2026-03-20

Last updated on: 2026-04-14

Assigner: MITRE

Description
SyncFusion 30.1.37 is vulnerable to Cross Site Scripting (XSS) via the Document-Editor reply to comment field and Chat-UI Chat message.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-14
NVD
CVE-2025-63260
EUVD
EUVD-2025-208909
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
syncfusion syncfusion 30.1.37
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2025-63260 vulnerability is a Stored Cross-Site Scripting (XSS) issue found in Syncfusion version 30.1.37. It affects two main components: the Document-Editor reply to comment field and the Chat-UI chat message feature.

In the Document-Editor, while the original comment fields sanitize inputs, the reply to a comment does not properly sanitize user input, allowing attackers to inject malicious scripts that execute when the reply is viewed.

In the Chat-UI, chat messages are not sanitized, enabling attackers to send messages containing malicious HTML or scripts that execute when displayed to chat participants.

These vulnerabilities allow attackers to inject and execute arbitrary scripts in the context of the affected web applications.

Impact Analysis

This vulnerability can impact users and organizations by allowing attackers to execute malicious scripts within Syncfusion-powered web applications.

  • Compromise of user sessions, potentially leading to unauthorized access.
  • The theft or manipulation of sensitive data displayed or stored in the affected applications.
  • Potential disruption of application functionality or user experience through injected scripts.

The severity of impact depends on the specific data and functionalities of the affected web applications, with the internal Syncfusion security team rating it as High severity.

Compliance Impact

I don't know

Detection Guidance

The vulnerability can be detected by testing the affected Syncfusion components for stored Cross-Site Scripting (XSS) in the Document-Editor reply to comment field and the Chat-UI chat message input.

Specifically, you can attempt to inject typical XSS payloads such as <img onerror=alert(1) src> into the reply to comments or chat messages and observe if the payload executes when rendered.

For detection on your system, you can use web application security testing tools or manual testing by accessing the relevant Syncfusion document editor and chat UI components and submitting crafted inputs.

There are no specific commands provided in the resources, but using browser developer tools to inspect the rendering of replies and chat messages after injecting test payloads can help confirm the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs in the reply to comment fields and chat message inputs to prevent malicious scripts from being stored and executed.

If you are using Syncfusion version 30.1.37, consider upgrading to a patched version once available or applying any official patches or workarounds provided by Syncfusion.

In the meantime, restrict or monitor user inputs in affected components and consider implementing Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63260. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart