Vulnerabilities/

@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message

Severity:: Medium

Description

Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a “welcome message”, which is HTML that is to be rendered on the login page for branding purposes.

When rendering the welcome message, Dependency-Track versions before 4.13.

Recommendation

Update the @dependencytrack/frontend package to the latest compatible version. Followings are version details:

Affected version(s): >= 4.12.0, < 4.13.6
Patched version(s): 4.13.6

References

GHSA-7xvh-c266-cfr5
CVE-2025-64758
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details - CVE-2022-39350
`vega-functions` vulnerable to Cross-site Scripting via `setdata` function - CVE-2025-66648
jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
@sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params - CVE-2025-32388

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; @dependencytrack/frontend

Anything's wrong? Let us know Last updated on November 17, 2025