Login Sign Up

CVE-2025-56526

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in Kotaemon 0.11.0 allows attackers to inject malicious scripts via crafted PDF content. When rendered by the application, this can execute arbitrary JavaScript in victims' browsers. Users of Kotaemon 0.11.0 are affected.

💻 Affected Systems

Products:
  • Kotaemon
Versions: 0.11.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in PDF content rendering without proper sanitization.

📦 What is this software?

Kotaemon by Cinnamon

View all CVEs affecting Kotaemon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware via drive-by downloads.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions within the application context.

🟢

If Mitigated

Limited to same-origin policy restrictions; impact depends on application permissions and user privileges.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires uploading a malicious PDF; public disclosure includes technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 37cdc28

Vendor Advisory: https://github.com/Cinnamon/kotaemon/commit/37cdc28

Restart Required: No

Instructions:

1. Update Kotaemon to version with commit 37cdc28. 2. Ensure PDF content is properly sanitized before rendering. 3. Review and apply security patches from the repository.

🔧 Temporary Workarounds

Disable PDF uploads

all

Temporarily disable PDF upload functionality in Kotaemon.

Modify application configuration to reject PDF file uploads.

Implement Content Security Policy

all

Add CSP headers to restrict script execution from untrusted sources.

Add 'Content-Security-Policy' header with appropriate directives in web server configuration.

🧯 If You Can't Patch

  • Implement strict input validation and output encoding for PDF content.
  • Use web application firewall (WAF) rules to block malicious PDF uploads.

🔍 How to Verify

Check if Vulnerable:

Check if running Kotaemon 0.11.0; test PDF upload with script payloads to see if executed.

Check Version:

Check package.json or application metadata for version information.

Verify Fix Applied:

Verify application version includes commit 37cdc28; test PDF upload with script payloads to confirm no execution.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PDF uploads, large file sizes, or suspicious filenames in application logs.

Network Indicators:

  • HTTP requests with PDF uploads containing script-like patterns.

SIEM Query:

source="kotaemon_logs" AND (file_extension="pdf" AND (payload CONTAINS "<script>" OR payload CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2025-56526
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.06% exploit probability (19.5th percentile)
Published: November 18, 2025
Last Updated: December 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56526, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)