CVE-2025-50183: OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer

June 18, 2025 (updated June 19, 2025)

A vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in <script> tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability.

References

github.com/OpenListTeam/OpenList
github.com/OpenListTeam/OpenList-Frontend/commit/7b5ed20c608c7b9b36d1950a386678e0a89f8175
github.com/OpenListTeam/OpenList/security/advisories/GHSA-2hw3-h8qx-hqqp
github.com/advisories/GHSA-2hw3-h8qx-hqqp
nvd.nist.gov/vuln/detail/CVE-2025-50183

Code Behaviors & Features

Detect and mitigate CVE-2025-50183 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →