Cross Site Scripting Vulnerability in Jakowenko Double-Take API
CVE-2025-11360

5.3MEDIUM

Key Information:

Vendor: Jakowenko
Status: Double-take
Vendor: CVE Published:; 7 October 2025

What is CVE-2025-11360?

A vulnerability exists in Jakowenko Double-Take's API component that enables remote execution of Cross Site Scripting (XSS) attacks. Specifically, the compromise occurs due to improper handling of the X-Ingress-Path argument in the app.use function within api/src/app.js. Users of Double-Take are advised to upgrade to version 1.13.2 or later to apply the necessary security patch and mitigate this risk. The patch is included in commit e11de9dd6b4ea6b7ec9a5607a920d48961e9fa50, which addresses the security flaw.