Cross Site Scripting (XSS) in Layers of Image in viliusle/minipaint


Reported on

Mar 17th 2023


Cross site scripting vulnerability in viliusle / minipaint in Layers name of "Edit Image"

Proof of Concept

  1. Go to the URL:
  2. Go to the layers option and add new layer
  3. Rename Layer with payload.
  4. Popup will be there.

For more understanding please check POC. POC :

var payload = "><img src=x onerror=alert(document.domain);>


An attacker can use XSS to send a malicious script to an unsuspecting user.

We are processing your report and will contact the viliusle/minipaint team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the viliusle/minipaint team and are waiting to hear back 10 months ago
We have sent a follow up to the viliusle/minipaint team. We will try again in 4 days. 10 months ago
viliusle/minipaint maintainer validated this vulnerability 10 months ago
onkar0219 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
viliusle/minipaint maintainer
9 months ago

Are there any updates regarding this matter? May I inquire if there is a CVE assigned to this issue?

viliusle/minipaint maintainer
8 months ago

Are there any updates regarding this matter?

viliusle/minipaint maintainer
4 months ago

Any updates?????

viliusle/minipaint maintainer marked this as fixed in 4.14.0 with commit f22cb4 3 months ago
A ghost has been awarded the fix bounty
This vulnerability has now been published 3 months ago
viliusle/minipaint maintainer
3 months ago

Another update (v4.14.1) was pushed, v4.14.0 was not enough.

to join this conversation