The XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernames that enabled impersonation or stored XSS attacks. Proper validation has been added where it was missing.
https://hackerone.com/reports/3680090
Source: Mitre, NVD
Published: 2026-06-23
Updated: 2026-06-25
EPSS: 0.00303