CVE-2025-56526

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-56526
Cross site scripting (XSS) vulnerability in Kotaemon 0.11.0 allowing attackers to execute arbitrary code via a crafted PDF.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/Cinnamon/kotaemon Product
https://github.com/Cinnamon/kotaemon/commit/37cdc28 Patch
https://github.com/HanTul/Kotaemon-CVE-2025-56526-56527-disclosure Exploit Third Party Advisory
https://harvest-sink-590.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-236770c3fe1e80f6a1aef381fb1c8f73 Exploit Third Party Advisory
https://skinny-exoplanet-584.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-22cd1563bd3380458588eb49f361a363 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:cinnamon:kotaemon:*:*:*:*:*:*:*:*
History

02 Dec 2025, 19:35

Type Values Removed Values Added
References () https://github.com/Cinnamon/kotaemon - () https://github.com/Cinnamon/kotaemon - Product
References () https://github.com/Cinnamon/kotaemon/commit/37cdc28 - () https://github.com/Cinnamon/kotaemon/commit/37cdc28 - Patch
References () https://github.com/HanTul/Kotaemon-CVE-2025-56526-56527-disclosure - () https://github.com/HanTul/Kotaemon-CVE-2025-56526-56527-disclosure - Exploit, Third Party Advisory
References () https://harvest-sink-590.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-236770c3fe1e80f6a1aef381fb1c8f73 - () https://harvest-sink-590.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-236770c3fe1e80f6a1aef381fb1c8f73 - Exploit, Third Party Advisory
References () https://skinny-exoplanet-584.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-22cd1563bd3380458588eb49f361a363 - () https://skinny-exoplanet-584.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-22cd1563bd3380458588eb49f361a363 - Exploit, Third Party Advisory
CPE cpe:2.3:a:cinnamon:kotaemon:*:*:*:*:*:*:*:*
First Time Cinnamon kotaemon
Cinnamon

19 Nov 2025, 15:15

Type Values Removed Values Added
References
  • () https://harvest-sink-590.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-236770c3fe1e80f6a1aef381fb1c8f73 -

18 Nov 2025, 17:16

Type Values Removed Values Added
New CVE
Information

Published : 2025-11-18 17:16

Updated : 2025-12-02 19:35

NVD link : CVE-2025-56526

Mitre link : CVE-2025-56526

CVE.ORG link : CVE-2025-56526

JSON object : View

Products Affected

cinnamon

  • kotaemon
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')