CVE-2025-26768

Summary

CVE-2025-26768 is a newly disclosed vulnerability affecting the what3words Address Field, specifically versions from n/a to 4.0.15. This issue combines two serious risks: a Cross-Site Request Forgery (CSRF) susceptibility and Stored Cross-Site Scripting (XSS). An attacker could exploit the CSRF vulnerability to induce unintended actions from users, while the Stored XSS enables the insertion of malicious scripts into the what3words service, potentially leading to data theft or site defacement. Users are advised to update their what3words Address Field to the latest version as soon as possible to mitigate these risks.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.