CVE-2025-63419: XSS
Published Nov 12, 2025
·Updated
Cross Site Scripting (XSS) vulnerability in CrushFTP 11.3.6_48. The Web-Based Server has a feature where users can share files, the feature reflects the filename to an emailbody field with no sanitations leading to HTML Injection.
Affected Software
2 affected components
CrushFTP CrushFTP
CrushFTP CrushFTP<11.3.7_60
Event History
Nov 12, 2025
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Data Sourced
via NVD·05:15 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2025-63419?
CVE-2025-63419 is classified as a high severity Cross Site Scripting (XSS) vulnerability.
2
How do I fix CVE-2025-63419?
To fix CVE-2025-63419, ensure that input is properly sanitized before being reflected in the email body field.
3
What versions of CrushFTP are affected by CVE-2025-63419?
CVE-2025-63419 affects CrushFTP version 11.3.6_48 and possibly earlier versions.
4
What is the impact of CVE-2025-63419?
The impact of CVE-2025-63419 includes the potential for HTML Injection attacks via shared file names.
5
Can CVE-2025-63419 be exploited remotely?
Yes, CVE-2025-63419 can be exploited remotely by an attacker through crafted file sharing links.