Vulnerabilities discovered in REDCap

Swiss Post Cybersecurity has identified multiple Cross-Site Scripting (XSS) and HTML Injection vulnerabilities in the REDCap platformTarget not accessible. These vulnerabilities, discovered by security researchers from Swiss Post Cybersecurity, Ralph El Khoury and Patrick Mkhael, affect various components of REDCap’s user interface, posing significant security risks for organizations relying on it for research and data management. If exploited, these vulnerabilities could allow attackers to inject malicious scripts, leading to unauthorized actions, data theft, session hijacking, and potential compromise of sensitive information.

This discovery underscores the importance of continuous security assessments, even for widely trusted platforms like REDCap, and highlights the ongoing efforts of companies like Swiss Post Cybersecurity in improving the security landscape.

CVE Assignments

Proof of Concept

The proof of concept for the discovered vulnerabilities, including detailed steps to demonstrate the potential exploitation of the issues, can be found in the reference URLs provided below. These references offer further insights into how the vulnerabilities were identified and their potential impact.

Please refer to the official documentation and advisories for more information on mitigation steps and secure configurations.

Conclusion

While REDCap is subject to regular security assessments and has resolved numerous vulnerabilities over the years, the discovery of these issues in recent version 14.9.6 highlights that even mature and widely-used software can still contain overlooked security flaws. REDCap's history of CVEs reflects both the diligent scrutiny it receives from the cybersecurity community and its development team's proactive efforts to address reported vulnerabilities.

This serves as a reminder that security is an ongoing journey rather than a single milestone. For organizations utilizing REDCap, particularly those managing sensitive research data, this emphasizes the necessity of keeping software updated, performing regular security audits, and adopting additional protective measures.

We strongly advise all REDCap users to upgrade to the latest secure version and maintain a robust security posture by implementing continuous monitoring, secure configuration practices, and comprehensive user education to mitigate potential risks.

• https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap/CVE-2025-23111Target not accessible
• https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap/CVE-2024-56310Target not accessible
• https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap/CVE-2024-56311Target not accessible
• https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap/CVE-2024-56312Target not accessible
• https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap/CVE-2024-56313Target not accessible
• https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap/CVE-2024-56314Target not accessible
• https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap/CVE-2024-56376Target not accessible
• https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap/CVE-2024-56377Target not accessible
• https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap/CVE-2025-23110Target not accessible
• https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap/CVE-2025-23112Target not accessible
• https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap/CVE-2025-23113Target not accessible