XSS in Usebruno Bruno

CVE-2025-30210

Bruno is an open source IDE for exploring and testing APIs. Prior to 1.39.1, the custom tool-tip components which internally use react-tooltip were setting the content (in this case the Environment name) as raw HTML which then gets injecte…

EPSS: 0.003 (49.5th percentile) — read the EPSS interpretation.

Affected products

Usebruno Bruno — versions >= 1.38.0, < 1.39.1

Weakness classification (CWE)

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

References

https://github.com/usebruno/bruno/security/advisories/GHSA-fqxc-cxph-9vq8 (x_refsource_CONFIRM)