CVE-2025-8848 PoC — LibreChat 代码注入漏洞

来源

关联漏洞

Description

danny-avila/librechat 0.7.9 contains a stored XSS caused by improper sanitization of the Accept-Language header, letting logged-in users inject arbitrary HTML into the html lang= tag, exploit requires user to be logged in.

文件快照

 id: CVE-2025-8848

info:
  name: LibreChat <= 0.7.9 - HTML Injection via Accept-Language Header
  au

...

备注