Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/calibreweb@0.6.25
Typepypi
Namespace
Namecalibreweb
Version0.6.25
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.6.16
Latest_non_vulnerable_version0.6.20
Affected_by_vulnerabilities
0
url VCID-gb1g-yf4f-tygr
vulnerability_id VCID-gb1g-yf4f-tygr
summary 
Calibre-Web Has a Stored Cross-Site Scripting (XSS) Vulnerability via the 'username' Field During User Creation
A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed.
references
0
reference_url https://github.com/janeczku/calibre-web
reference_id
reference_type
scores
url https://github.com/janeczku/calibre-web
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-65858
reference_id CVE-2025-65858
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-65858
2
reference_url https://github.com/KhanhDuy155/calibre-web-CVE-2025-65858/blob/main/CVE-2025-65858.md
reference_id CVE-2025-65858.MD
reference_type
scores
url https://github.com/KhanhDuy155/calibre-web-CVE-2025-65858/blob/main/CVE-2025-65858.md
3
reference_url https://github.com/advisories/GHSA-pc5g-j9j7-p4q3
reference_id GHSA-pc5g-j9j7-p4q3
reference_type
scores
url https://github.com/advisories/GHSA-pc5g-j9j7-p4q3
fixed_packages
aliases CVE-2025-65858, GHSA-pc5g-j9j7-p4q3
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gb1g-yf4f-tygr
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.25