Stored HTML injection and Potential Cross Site Scripting in pixelfed ≤ 0.11.4 in pixelfed/pixelfed


Reported on

Feb 21st 2023


pixelfed ≤ 0.11.4 is affected by HTML injection and Potential Cross Site Scripting vulnerability.

Steps to Reproduce:

1.Choose any server from and go to registration page.

2.Enter your username, email, password and enter following payload on "Name" parameter and click on signup.

"><i><h1>HTML INJECTION</h1></i>
  1. Now cross site scripting will be triggered.

4.Malicious code will be triggered on any user's web session who visits the attackers profile.

Proof Of Concept :


This vulnerability allows attacker to embed malicious code in users profile. An devastating impact may cause any user visiting attacker's profile his cookies can be hijacked and attacker can takeover any users account. Or can run javascript payload on profile visitors web session since our profile can be viewed by any person just by sending a link.

We are processing your report and will contact the pixelfed team within 24 hours. a month ago
Suvam Adhikari
a month ago


Its executing everywhere :

Suvam Adhikari modified the report
a month ago
We have contacted a member of the pixelfed team and are waiting to hear back a month ago
pixelfed/pixelfed maintainer has acknowledged this report a month ago
pixelfed/pixelfed maintainer validated this vulnerability a month ago
Suvam Adhikari has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pixelfed/pixelfed maintainer marked this as fixed in 0.11.4 with commit 9bbd6d a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Mar 23rd 2023
register.blade.php#L1-L105 has been validated
Suvam Adhikari
a month ago


Dear @maintainer ,

Can you assign an CVE :) .

Regards, Suvam

Suvam Adhikari
a month ago


Dear @maintainer, Its possible for attacker to create a global variable x in JavaScript containing one value as "document.cookie" and another one that alerts it.

Visit this page Attacker can load external javascript from shortest domain possible and load malicious javascript on victims web session.

Regards, @whoisshuva

pixelfed/pixelfed maintainer published this vulnerability 9 days ago
to join this conversation