vulnerability

CrushFTP: CVE-2025-63419: Improper Neutralization of Input During Web Page Generation

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:M/Au:N/C:P/I:P/A:N)	Nov 12, 2025	Dec 4, 2025	Dec 4, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:P/A:N)

Published

Nov 12, 2025

Added

Dec 4, 2025

Modified

Dec 4, 2025

Description

Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection.

Solution

crushftp-crushftp-upgrade-latest

References

CWE-79
CVE-2025-63419
https://attackerkb.com/topics/CVE-2025-63419
URL-https://gist.github.com/MMAKINGDOM/39ded58b1e6d2d19366e76e0d5b1c851
URL-https://github.com/MMAKINGDOM/CVE-2025-63419/

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today