Denial of Service Vulnerability in CryptPad by CryptPad Team
CVE-2025-51846

8.7HIGH

Key Information:

Vendor: Cryptpad
Status: Cryptpad
Vendor: CVE Published:; 30 April 2026

What is CVE-2025-51846?

CryptPad version 2025.3.1 is vulnerable to an unbounded WebSocket frame flood, which allows a remote, unauthenticated attacker to overwhelm the service. This type of attack can significantly degrade performance or even deny service to all users of the CryptPad instance. The issue has been addressed in version 2026.2.2, where mitigations have been implemented to prevent such abuse.

Affected Version(s)

CryptPad 2025.3.1

CryptPad 2025.3.1 < 2026.2.2

CryptPad 2026.2.2

References

https://github.com/cryptpad/cryptpad/pull/2239/changes/1e...

https://www.cve.org/CVERecord?id=CVE-2025-51846

https://raw.githubusercontent.com/cisagov/CSAF/develop/cs...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Jun 16, 2025

Credit

John Perifanis, Unisystems

CVE-2025-51846 Data

JSON

Cryptpad

What is CVE-2025-51846?

Affected Version(s)

References

CVSS V4

Timeline

Credit