Description
Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags).
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-mfjh-9552-8g27
Scores
CVSS v3
6.1
EPSS
0.0003
EPSS Percentile
8.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
monkeytype/monkeytype
< 25.49.0
Published
Dec 04, 2025
Tracked Since
Feb 18, 2026