CVE-2025-6725
Description
In the PdfViewer component, a Cross-Site Scripting (XSS) vulnerability is possible if a specially-crafted document has already been loaded and the user engages with a tool that requires the DOM to be re-rendered.
CWE
- CWE-79 — CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Affected
- Progress Software / Kendo UI for jQuery — v=2024.4.1112 ≤2025.2.520 [affected]
- Progress Software / Kendo UI for Angular — v=18.5.0 ≤19.1.2 [affected]
- Progress Software / KendoReact — v=5.10.0 ≤11.1.0 [affected]
- Progress Software / Telerik UI for ASP.NET MVC — v=2024.4.1112 ≤2025.2.520 [affected]
- Progress Software / Telerik UI for ASP.NET Core — v=2024.4.1112 ≤2025.2.520 [affected]
- Progress Software / Telerik UI for Blazor — v=3.6.0 ≤9.0.0 [affected]
CVSS
- 3.1 score=5.4 severity=MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
References
- https://www.telerik.com/blazor-ui/documentation/knowledge-base/pdfviewer-xss-vulnerability-cve-2025-6725
- https://www.telerik.com/aspnet-core-ui/documentation/knowledge-base/kb-security-pdfviewer-xss-cve-2025-6725
- https://www.telerik.com/aspnet-mvc/documentation/knowledge-base/kb-security-pdfviewer-xss-cve-2025-6725
- https://www.telerik.com/kendo-jquery-ui/documentation/knowledge-base/kb-security-pdfviewer-xss-cve-2025-6725
- https://www.telerik.com/kendo-angular-ui/components/knowledge-base/kb-security-pdfviewer-xss-cve-2025-6725
- https://www.telerik.com/kendo-react-ui/components/knowledge-base/kb-security-pdfviewer-xss-cve-2025-6725
Source
cvelistV5-main/cves/2025/6xxx/CVE-2025-6725.json