A critical cross-site scripting (XSS) vulnerability has been discovered in the popular password manager Bitwarden, affecting versions up to 2.25.1.

The security flaw, designated as CVE-2025-5138, resides in the PDF File Handler component and allows attackers to upload malicious PDF files that can execute arbitrary code when viewed by users.