CVE-2025-3191
MEDIUMreact-draft-wysiwyg - Stored Cross-Site Scripting via Embedded Button
Title source: llmDescription
All versions of the package react-draft-wysiwyg are vulnerable to Cross-site Scripting (XSS) via the Embedded button which will then result in saving the payload in the <iframe> tag.
References (2)
Core 2
Core References
Various Sources
https://gist.github.com/th4s1s/175ae4b2632096059b42377dd6c49d47
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-REACTDRAFTWYSIWYG-8515884
Scores
CVSS v3
6.1
EPSS
0.0051
EPSS Percentile
66.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
n/a/react-draft-wysiwyg
npm/react-draft-wysiwyg
0npm
Published
Apr 04, 2025
Tracked Since
Feb 18, 2026