Cross-Site Scripting Vulnerability in Bitdefender SecurePass by Psono
CVE-2025-1987

9.3CRITICAL

Key Information:

Vendor: Psono
Status: Psono-client; Securepass
Vendor: CVE Published:; 21 June 2025

What is CVE-2025-1987?

A Cross-Site Scripting (XSS) vulnerability has been discovered in the Psono-Client's management of vault entries, specifically those categorized as website_password and bookmark. The vulnerability arises from inadequate sanitization of the URL field within these entries, enabling an attacker to create a malicious vault entry or deceive a user into importing one containing a harmful javascript:URL. If the user then interacts with this malicious entry, such as by clicking on it, the application may execute the nefarious JavaScript code within the context of the Psono vault, potentially exposing the user to risks such as unauthorized access to their password vault and other sensitive information.

Affected Version(s)

Psono-client 0 <= 4.0.4

SecurePass 0 < 0.0.76

SecurePass 0 < 1.1.18

References

https://bitdefender.com/support/support/security-advisori...

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 21, 2025
Vulnerability Reserved
Mar 5, 2025

Credit

Ionut DRĂGUȚ, Bitdefender Labs