CVE-2025-50739 iib0011 omni-tools v0.4.0 is vulnerable to remote code execution. The JSON Stringify tool unsafely uses the eval() function to parse user-provided text as a JavaScript object. A remote attacker can craft a malicious string or json file using a JavaScript comma operator to execute arbitrary code before the intended object evaluation. This allows for a full range of client-side attacks, including Cross-Site Scripting (XSS), session hijacking, and data exfiltration, when a user inputs or upload the malicious payload into the tool's text field. POC  By inputing alert() in the textbox, Also, attacker can upload a malicious json by 'import from file', which also trigger the script. The attacker could send the malicious json to victim and ask them to upload to this site to trigger the script.