CVE-2025-63420: XSS
Published Nov 7, 2025
·Updated
CrushFTP11 before 11.3.7_57 is vulnerable to stored HTML injection in the CrushFTP Admin Panel (Reports / "Who Created Folder"), enabling persistent HTML execution in admin sessions.
Affected Software
2 affected components
CrushFTP CrushFTP<11.3.7_57
CrushFTP CrushFTP>=11.0.1<11.3.7_57
Event History
Nov 7, 2025
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Data Sourced
via NVD·10:15 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2025-63420?
CVE-2025-63420 has a medium severity rating due to its potential for persistent HTML execution in admin sessions.
2
How do I fix CVE-2025-63420?
To resolve CVE-2025-63420, upgrade CrushFTP to version 11.3.7_57 or later.
3
What type of vulnerability is CVE-2025-63420?
CVE-2025-63420 is a stored HTML injection vulnerability affecting the CrushFTP Admin Panel.
4
Who is affected by CVE-2025-63420?
CVE-2025-63420 affects users of CrushFTP versions prior to 11.3.7_57.
5
What are the potential impacts of CVE-2025-63420?
The potential impacts of CVE-2025-63420 include unauthorized script execution in admin sessions, which can compromise admin functionality.