CVE-2025-70368 Stored Cross-Site Scripting (XSS) in Project Updates Feature Description Worklengz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field, which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Affected Versions Steps to Reproduce 1. Navigate to Projects → "Project Name" → Updates 2. Enter the following payload: 3. Navigate to Reporting → Projects 4. The stored payload is rendered, and the alert executes: Discovery This vulnerability was discovered by Alex Perrakis (Stolihnayer). References: Worklengz Github Repository