CVE-2025-67438: Sync-in Server has a stored cross-site scripting (XSS) vulnerability

February 20, 2026

A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim’s browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the user’s session cookies.

References

gist.github.com/x0root/86db30af91bb0e1707eb7e57a049b6ad
github.com/Sync-in/server
github.com/Sync-in/server/commit/a6276d067725637310e4e83a3eee337aae81f439
github.com/Sync-in/server/releases/tag/v1.9.3
github.com/advisories/GHSA-9jmq-xgjm-p8c2
nvd.nist.gov/vuln/detail/CVE-2025-67438

Code Behaviors & Features

Detect and mitigate CVE-2025-67438 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →