ASencerK/TodoistStoredXSS

Releases0

Discovered Stored XSS vulnerability on Todoist's platform through the avatar upload feature

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-57292 ↗	Sep 26, 2025Friday, 26 September 2025, 15:16	6.1 MEDIUM	—
Todoist v8484 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload functionality. The application fails to properly validate the MIME type and sanitize image metadata.