@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
- Severity:
- Medium
Description
Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a “welcome message”, which is HTML that is to be rendered on the login page for branding purposes.
When rendering the welcome message, Dependency-Track versions before 4.13.
Recommendation
Update the @dependencytrack/frontend package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.12.0, < 4.13.6
- Patched version(s): 4.13.6
References
Related Issues
- @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details - CVE-2022-39350
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] - CVE-2025-27793
- @sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params - CVE-2025-32388
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
- Tags:
- npm
- @dependencytrack/frontend
Anything's wrong? Let us know Last updated on November 17, 2025