CVE-2025-65203

CVE-2025-65203

Name

CVE-2025-65203

Description

KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
cve@mitre.org	https://github.com/keepassxreboot/keepassxc-browser/issues/2647
cve@mitre.org	https://github.com/keepassxreboot/keepassxc-browser/pull/2648

Type

URI

cve@mitre.org

https://github.com/keepassxreboot/keepassxc-browser/issues/2647

cve@mitre.org

https://github.com/keepassxreboot/keepassxc-browser/pull/2648

CPE URI	Source package	Min version	Max version
	n/a	== n/a	== None
`cpe:2.3:a:keepassxc:keepassxc-browser::::::::`	keepassxc-browser	>= None	<= 1.9.9.2

CPE URI

Source package

Min version

Max version

n/a

== n/a

== None

cpe:2.3:a:keepassxc:keepassxc-browser:*:*:*:*:*:*:*:*

keepassxc-browser

>= None

<= 1.9.9.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
keepassxc-browser	edge-community	1.9.7-r1	Hugo Osvaldo Barrera <hugo@whynothugo.nl>	possibly vulnerable
keepassxc-browser	edge-community	1.9.7-r0	Hugo Osvaldo Barrera <hugo@whynothugo.nl>	possibly vulnerable
keepassxc-browser	3.23-community	1.9.7-r1	Hugo Osvaldo Barrera <hugo@whynothugo.nl>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

keepassxc-browser

edge-community

1.9.7-r1

Hugo Osvaldo Barrera <hugo@whynothugo.nl>

possibly vulnerable

keepassxc-browser

edge-community