CVE-2025-26210

HIGH

DeepSeek R1-V3.1 - Cross-Site Scripting via run-html-chat.deepseeksvc.com

Title source: llm
STIX 2.1

Description

DeepSeek R1 through V3.1 allows XSS, as demonstrated by JavaScript execution in the context of the run-html-chat.deepseeksvc.com domain. NOTE: some third parties have indicated that this is intended behavior.

References (3)

Core 3
Core References
Permissions Required
https://deepseek.com

Scores

CVSS v3 8.8
EPSS 0.0054
EPSS Percentile 41.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (3)
deepseek/deepseek-r1 1.0
deepseek/deepseek-v2
deepseek/deepseek-v3 1.0
Published Sep 03, 2025
Tracked Since Feb 18, 2026