Stored Cross-Site Scripting Vulnerability in Sync-in Server
CVE-2025-67438

6.1MEDIUM

Key Information:

Vendor

Sync-in

Status
Sync-in Server
Vendor
CVE Published:
20 February 2026

What is CVE-2025-67438?

A Stored Cross-Site Scripting vulnerability exists in Sync-in Server versions prior to 1.9.3, allowing authenticated attackers to inject and execute arbitrary JavaScript in the browsers of users. This is achieved by uploading a specially crafted SVG file that contains a malicious payload. When viewed by users, this malicious script can exfiltrate sensitive information, such as session cookies, posing serious threats to user privacy and security.

References

https://github.com/Sync-in/server/releases/tag/v1.9.3
https://gist.github.com/x0root/86db30af91bb0e1707eb7e57a0...

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.