Description
An HTML Injection vulnerability in TrueConf server 5.5.2.10813 in the conference description field allows an attacker to inject arbitrary HTML in the Create/Edit conference functionality. The payload will be triggered when the victim opens the Conference Info page ([conference url]/info).
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66823/README.md
Product
https://trueconf.com
Scores
CVSS v3
5.4
EPSS
0.0005
EPSS Percentile
15.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
trueconf/server
5.5.2.10813
Published
Dec 30, 2025
Tracked Since
Feb 18, 2026