![[@sync-in/server] Sync-in Server has a stored cross-site scripting (XSS) vulnerability](/assets/images/github_com_1771632180906.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 11
[@sync-in/server] Sync-in Server has a stored cross-site scripting (XSS) vulnerability
By GitHub2026๋
2์ 21์ผ
**[@sync-in/server] Sync-in Server has a stored cross-site scripting (XSS) vulnerability**
A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the user's session cookies. References https://nvd.nist.gov/vuln/detail/CVE-2025-67438 https://gist.github.com/x0root/86db30af91bb0e1707eb7e57a049b6ad https://github.com/Sync-in/server/releases/tag/v1.9.3 https://github.com/Sync-in/server/commit/a6276d067725637310e4e83a3eee337aae81f439 https://github.com/advisories/GHSA-9jmq-xgjm-p8c2
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the user's session cookies. References https://nvd.nist.gov/vuln/detail/CVE-2025-67438 https://gist.github.com/x0root/86db30af91bb0e1707eb7e57a049b6ad https://github.com/Sync-in/server/releases/tag/v1.9.3 https://github.com/Sync-in/server/commit/a6276d067725637310e4e83a3eee337aae81f439 https://github.com/advisories/GHSA-9jmq-xgjm-p8c2
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.