关键漏洞信息 CVE ID: CVE-2025-65465 Vendor: Skrol29 Product: TbsZip Affected Version: All versions <= 2.17 Fixed Version: 2.18 Vulnerability Type: Reflected Cross-Site Scripting (XSS) Description A reflected Cross-Site Scripting (XSS) vulnerability in the function of Skrol29 TbsZip version 2.17 and earlier allows remote attackers to execute arbitrary web script or HTML via a crafted payload in a filename parameter (e.g., to the function). This occurs because the error message is not properly sanitized before being output to the user. This vulnerability is fixed in version 2.18. Proof of Concept The vulnerability can be exploited by passing a malicious string (containing a script payload) to the function via a GET parameter. When the file is not found, the function reflects the unsanitized payload back to the user's browser. Example Payload: References Patch/Vendor Advisory: https://github.com/Skrol29/tbszip/releases/tag/v2.18 Project Repository: https://github.com/Skrol29/tbszip Credit Discovered by Tim (@T1mund0).