CVE-2025-67438

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

20/02/2026

Last modified:

20/02/2026

Description

A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim&#39;s browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the user&#39;s session cookies.

Impact

References to Advisories, Solutions, and Tools

https://gist.github.com/x0root/86db30af91bb0e1707eb7e57a049b6ad
https://github.com/Sync-in/server/releases/tag/v1.9.3