CVE-2025-63785

Published: Nov 7, 2025

Modified: Nov 10, 2025

PUBLISHED

Description

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the text editor feature of the Onlook web application 0.2.32. This vulnerability occurs because user-supplied input is not properly sanitized before being directly injected into the DOM via innerHTML when editing a text element. An attacker can exploit this to inject malicious HTML and script code, which is then executed within the context of the preview iframe, allowing for the execution of arbitrary scripts in the user's session.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://tossbank.notion.site/DOM-XSS-in-onlook-27e557175d2e80e1b210c75b77952115

https://blog.soohyun.tech/CVE-2025-63785-DOM-XSS-in-Onlook-27e557175d2e80e1b210c75b77952115

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-63785

Description

Affected Products

References