What is CVE-2025-11945?

CVE-2025-11945 is a low-severity vulnerability in Toeverything Affine, classified under Cross-site Scripting. CVSS score: 3.5/10. Published 2025-10-19.

How severe is CVE-2025-11945?

Low severity. CVSS v3 base score is 3.5 out of 10.

RCE in Toeverything Affine

CVE-2025-11945

A vulnerability was identified in toeverything AFFiNE up to 0.24.1. This vulnerability affects unknown code of the component Avatar Upload Image Endpoint. Such manipulation leads to cross site scripting. The attack may be launched remotely…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (8.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.5 (Low). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N.

Affected products

Toeverything Affine — versions 0.24.0, 0.24.1

Weakness classification (CWE)

References

VDB-329025 | toeverything AFFiNE Avatar Upload Image Endpoint cross site scripting (vdb-entry)
VDB-329025 | CTI Indicators (IOB, IOC, TTP) (signature, permissions-required)
Submit #670888 | toeverything AFFiNE 0.24.1 Cross Site Scripting (third-party-advisory)
cna@vuldb.com (exploit)

Frequently asked questions

What is CVE-2025-11945?: CVE-2025-11945 is a low-severity vulnerability in Toeverything Affine, classified under Cross-site Scripting. CVSS score: 3.5/10. Published 2025-10-19.
How severe is CVE-2025-11945?: Low severity. CVSS v3 base score is 3.5 out of 10.