GHSA-6mp4-q625-mxjp: YOURLS is vulnerable to XSS through JSONP and Callback request parameters

December 30, 2025

The callback and jsonp request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When YOURLS_PRIVATE is set to false (public API mode), this vulnerability can be exploited by any unauthenticated attacker. In private mode, the XSS payload is still injected into the 403 response body though browser execution is blocked.

References

github.com/YOURLS/YOURLS
github.com/YOURLS/YOURLS/commit/b1c6100e0aa6fef58c9c1a394ccc19352c3a480a
github.com/YOURLS/YOURLS/security/advisories/GHSA-6mp4-q625-mxjp
github.com/advisories/GHSA-6mp4-q625-mxjp

Code Behaviors & Features

Detect and mitigate GHSA-6mp4-q625-mxjp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →