Home > Vulnerability Database > CVE-2025-63785

Mend.io Vulnerability Database

CVE-2025-63785

Good to know:

Date: November 6, 2025

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the text editor feature of the Onlook web application 0.2.32. This vulnerability occurs because user-supplied input is not properly sanitized before being directly injected into the DOM via innerHTML when editing a text element. An attacker can exploit this to inject malicious HTML and script code, which is then executed within the context of the preview iframe, allowing for the execution of arbitrary scripts in the user's session.

Severity Score

6.1

Related Resources (4)

Url: https://blog.soohyun.tech/CVE-2025-63785-DOM-XSS-in-Onlook-27e557175d2e80e1b210c75b77952115

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-63785

Url: https://tossbank.notion.site/DOM-XSS-in-onlook-27e557175d2e80e1b210c75b77952115

Url: https://www.mend.io/vulnerability-database/CVE-2025-63785

Severity Score

6.1

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Encoding or Escaping of Output

CWE-116

Improper Input Validation

CWE-20

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-63785

Good to know:

Date: November 6, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?