XSS in Laundry allows to perform an Account Takeover
5,1
Medium
Discovered by

Offensive Team, Fluid Attacks
Summary
Full name
XSS in Laundry 2.3.0 allows to perform an account takeover
Code name
State
Public
Release date
2 de jul. de 2025
Affected product
Laundry
Affected version(s)
Version 2.3.0
Vulnerability name
Reflected cross-site scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v4.0 vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS v4.0 base score
5.1
Exploit available
Yes
CVE ID(s)
Description
Laundry version 2.3.0 allows to perform an account takeover. This is possible because the application is vulnerable to XSS.
Vulnerability
An XSS vulnerability has been identified in laundry. This allows an account takeover to be performed on any user accessing a malicious link.
Exploit
Evidence of exploitation

Our security policy
We have reserved the ID CVE-2025-52842 to refer to this issue from now on.
System Information
Version: laundry 2.3.0
Operating System: MacOS
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://github.com/mohaiminur/laundry/
Timeline
Vulnerability discovered
20 de set. de 2023
Vendor contacted
26 de set. de 2023
Public disclosure
2 de jul. de 2025