CVE-2025-29746 – A Cross-Site Scripting (XSS) vulnerability in K... (How to Fix)

Q: What is the severity of CVE-2025-29746?

CVE-2025-29746 has a CVSS score of 6.1 (MEDIUM). A Cross-Site Scripting (XSS) vulnerability in Koillection v1.6.10 allows remote attackers to inject malicious scripts via collection, wishlist, and album components. This could enable privilege escalation by tricking authenticated users into executing attacker-controlled scripts. All users running the vulnerable version are affected.

📋 TL;DR

A Cross-Site Scripting (XSS) vulnerability in Koillection v1.6.10 allows remote attackers to inject malicious scripts via collection, wishlist, and album components. This could enable privilege escalation by tricking authenticated users into executing attacker-controlled scripts. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

Koillection

Versions: v1.6.10

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation. Any instance with collection, wishlist, or album functionality enabled is vulnerable.

📦 What is this software?

Koillection by Benjaminjonard

View all CVEs affecting Koillection →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal administrator session cookies, gain full administrative access to the Koillection instance, and potentially compromise the underlying server if the application runs with elevated privileges.

🟠

Likely Case

Attackers could steal user session tokens, perform actions on behalf of authenticated users, deface the application, or redirect users to malicious sites.

🟢

If Mitigated

With proper Content Security Policy (CSP) headers and input validation, the impact would be limited to minor UI manipulation without privilege escalation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (victim must visit a malicious page or click a crafted link). The GitHub issue contains technical details that could be weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.6.11 or later

Vendor Advisory: https://github.com/benjaminjonard/koillection/issues/1329

Restart Required: Yes

Instructions:

1. Backup your current Koillection installation and database. 2. Download the latest version from the official repository. 3. Replace the existing files with the patched version. 4. Restart the web server service. 5. Verify the fix by testing the previously vulnerable endpoints.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add a restrictive CSP header to prevent script execution from untrusted sources

Add to web server config: Content-Security-Policy: default-src 'self'; script-src 'self'

Input Validation Filter

all

Add server-side input validation for collection, wishlist, and album fields

Implement HTML entity encoding for user inputs in affected components

🧯 If You Can't Patch

Implement a Web Application Firewall (WAF) with XSS protection rules
Disable user-generated content features if not essential

🔍 How to Verify

Check if Vulnerable:

Test if unsanitized HTML/JavaScript can be injected into collection, wishlist, or album fields and persists when rendered

Check Version:

Check the version in Koillection admin panel or examine the application's version file

Verify Fix Applied:

Attempt the same XSS payloads after patching; they should be properly sanitized or rejected

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to collection/wishlist/album endpoints with script tags
Multiple failed login attempts following suspicious input submissions

Network Indicators:

HTTP requests containing <script> tags in POST parameters
Outbound connections to unfamiliar domains after user visits collection pages

SIEM Query:

web.url:*koillection* AND (web.param:*<script>* OR web.param:*javascript:* OR web.param:*onerror=*)

📊 Metadata

CVE ID: CVE-2025-29746

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.07% exploit probability (21.3th percentile)

Published: May 7, 2025

Last Updated: June 16, 2025

🔗 References

https://gist.github.com/unklerunkle/73e2ab58d1a5b9129be5de55765ea4fe Exploit,Third Party Advisory
https://github.com/benjaminjonard/koillection/issues/1329 Exploit,Issue Tracking,Third Party Advisory
https://github.com/benjaminjonard/koillection/issues/1329 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29746, you might also want to check these: