Cross-Site Scripting Vulnerability in Dependency-Track's Login Page
CVE-2025-64758

4.8MEDIUM

Key Information:

Vendor

Dependencytrack

Status
Frontend
Vendor
CVE Published:
17 November 2025

What is CVE-2025-64758?

A vulnerability in Dependency-Track affects users with SYSTEM_CONFIGURATION permission by allowing arbitrary JavaScript execution through unsanitized HTML in the 'welcome message' rendered on the login page. This flaw enables administrators to introduce malicious scripts, threatening user security. The issue has been addressed in Dependency-Track version 4.13.6, reinforcing the importance of upgrading to mitigate such risks.

Affected Version(s)

frontend >= 4.12.0, < 4.13.6

References

https://github.com/DependencyTrack/frontend/security/advi...
x_refsource_CONFIRM
https://github.com/DependencyTrack/frontend/pull/1378
x_refsource_MISC
https://github.com/DependencyTrack/frontend/pull/986
x_refsource_MISC

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64758 : Cross-Site Scripting Vulnerability in Dependency-Track's Login Page