CVE-2025-56527

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-56527
Plaintext password storage in Kotaemon 0.11.0 in the client's localStorage.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/Cinnamon/kotaemon Product
https://github.com/Cinnamon/kotaemon/commit/37cdc28 Patch
https://github.com/HanTul/Kotaemon-CVE-2025-56526-56527-disclosure Exploit Third Party Advisory
https://harvest-sink-590.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-236770c3fe1e80f6a1aef381fb1c8f73 Exploit Third Party Advisory
https://skinny-exoplanet-584.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-22cd1563bd3380458588eb49f361a363?pvs=74 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:cinnamon:kotaemon:*:*:*:*:*:*:*:*
History

02 Dec 2025, 19:37

Type Values Removed Values Added
First Time Cinnamon
Cinnamon kotaemon
CPE cpe:2.3:a:cinnamon:kotaemon:*:*:*:*:*:*:*:*
References () https://github.com/Cinnamon/kotaemon - () https://github.com/Cinnamon/kotaemon - Product
References () https://github.com/Cinnamon/kotaemon/commit/37cdc28 - () https://github.com/Cinnamon/kotaemon/commit/37cdc28 - Patch
References () https://github.com/HanTul/Kotaemon-CVE-2025-56526-56527-disclosure - () https://github.com/HanTul/Kotaemon-CVE-2025-56526-56527-disclosure - Exploit, Third Party Advisory
References () https://harvest-sink-590.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-236770c3fe1e80f6a1aef381fb1c8f73 - () https://harvest-sink-590.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-236770c3fe1e80f6a1aef381fb1c8f73 - Exploit, Third Party Advisory
References () https://skinny-exoplanet-584.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-22cd1563bd3380458588eb49f361a363?pvs=74 - () https://skinny-exoplanet-584.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-22cd1563bd3380458588eb49f361a363?pvs=74 - Exploit, Third Party Advisory

19 Nov 2025, 15:15

Type Values Removed Values Added
References
  • () https://harvest-sink-590.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-236770c3fe1e80f6a1aef381fb1c8f73 -

18 Nov 2025, 17:16

Type Values Removed Values Added
New CVE
Information

Published : 2025-11-18 17:16

Updated : 2025-12-02 19:37

NVD link : CVE-2025-56527

Mitre link : CVE-2025-56527

CVE.ORG link : CVE-2025-56527

JSON object : View

Products Affected

cinnamon

  • kotaemon
CWE
CWE-256

Plaintext Storage of a Password