CVE-2025-57292

MEDIUM

Todoist v8484 - Stored Cross-Site Scripting via Avatar Upload

Title source: llm
STIX 2.1

Description

Todoist v8484 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload functionality. The application fails to properly validate the MIME type and sanitize image metadata.

Scores

CVSS v3 6.1
EPSS 0.0022
EPSS Percentile 13.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
doist/todoist 8484
Published Sep 26, 2025
Tracked Since Feb 18, 2026