CVE-2025-3801 – github.com/songquanpeng/one-api

Package

Manager: go
Name: github.com/songquanpeng/one-api
Vulnerable Version: >=0 <=0.6.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00051 pctl0.15563

Details

one-api Cross-site Scripting vulnerability A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Metadata

Created: 2025-04-19T15:30:23Z
Modified: 2025-04-21T21:54:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-wvcx-j62q-45qw/GHSA-wvcx-j62q-45qw.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-wvcx-j62q-45qw
Finding: F425
Auto approve: 1