HanTul/Kotaemon-CVE-2025-56526-56527-disclosure

Releases0

Stars1

Public disclosure for CVE-2025-56526 and CVE-2025-56527 — Stored XSS via unsanitized PDF content rendering and plaintext credential exposure in Kotaemon 0.11.0. Includes full technical analysis, PoC, impact assessment, and responsible disclosure timeline.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-56526 ↗	Nov 18, 2025Tuesday, 18 November 2025, 17:16	6.1 MEDIUM	—
Cross site scripting (XSS) vulnerability in Kotaemon 0.11.0 allowing attackers to execute arbitrary code via a crafted PDF.
CVE-2025-56527 ↗	Nov 18, 2025Tuesday, 18 November 2025, 17:16	7.5 HIGH	—
Plaintext password storage in Kotaemon 0.11.0 in the client's localStorage.