Description
SyncFusion 30.1.37 is vulnerable to Cross Site Scripting (XSS) via the Document-Editor reply to comment field and Chat-UI Chat message.
Published: 2026-03-20
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

SyncFusion Document Editor 30.1.37 contains a stored cross‑site scripting flaw that allows malicious code to be inserted through the comment reply field and the chat message interface. If an attacker successfully injects script, it will be executed in the browser of any user who views the affected document or chat, potentially stealing session tokens, defacing pages, or executing further attacks. The vulnerability fundamentally compromises the integrity of the user interface and the confidentiality of user data.

Affected Systems

The affected product is SyncFusion Document Editor version 30.1.37. No other versions or products are listed as impacted.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, while the EPSS score of less than 1% suggests low current exploit probability. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog, implying no publicly known widespread exploitation. Exploitation requires access to the application’s comment or chat features, and the attacker must deliver malicious payload via those input fields. No active exploit proof of concept is referenced in the available data.

Generated by OpenCVE AI on April 14, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SyncFusion Document Editor to a version newer than 30.1.37
  • If an update is not immediately possible, restrict unauthenticated or privileged access to the comment and chat features
  • Implement content‑security policies or input validation to neutralize malicious scripts
  • Monitor application logs for abnormal comment or chat entries that may indicate tampering

Generated by OpenCVE AI on April 14, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Title Stored XSS in SyncFusion Document Editor 30.1.37 via Comment and Chat Fields

Tue, 14 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:syncfusion:syncfusion:30.1.37:*:*:*:*:*:*:*

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Title Stored XSS in SyncFusion Document Editor 30.1.37 via Comment and Chat Fields

Mon, 23 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Syncfusion
Syncfusion syncfusion
Vendors & Products Syncfusion
Syncfusion syncfusion

Fri, 20 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description SyncFusion 30.1.37 is vulnerable to Cross Site Scripting (XSS) via the Document-Editor reply to comment field and Chat-UI Chat message.
References

Subscriptions

Syncfusion Syncfusion
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T14:08:45.384Z

Reserved: 2025-10-27T00:00:00.000Z

Link: CVE-2025-63260

cve-icon Vulnrichment

Updated: 2026-03-23T14:08:42.505Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T20:16:47.087

Modified: 2026-04-14T19:26:57.653

Link: CVE-2025-63260

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses