Is there a public PoC exploit available for CVE-2025-11435?

Yes, a public proof-of-concept exploit is available for CVE-2025-11435. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2025-11435?

Yes, a patch is available for CVE-2025-11435. Update the affected software to the latest version immediately.

JhumanJ OpnForm CVE-2025-11435

Q: What is the CVSS score of CVE-2025-11435?

CVE-2025-11435 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-10-08 cna@vuldb.com

XSS Opnform

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:32 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in JhumanJ OpnForm up to 1.9.3. Affected by this vulnerability is an unknown functionality of the file /show/submissions. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is a2af1184e53953afa8cb052f4055f288adcaa608. To fix this issue, it is recommended to deploy a patch.

AnalysisAI

Stored cross-site scripting (XSS) in JhumanJ OpnForm up to version 1.9.3 allows remote attackers to inject malicious scripts via the /show/submissions endpoint, affecting all users who view affected submissions. The vulnerability requires user interaction (UI:P) to trigger but carries low integrity impact (VI:L). Public exploit code exists, and a patch has been released; however, the CVSS 2.1 score and 0.05% EPSS percentile indicate limited real-world exploitation despite public disclosure.

Technical ContextAI

JhumanJ OpnForm is a form management and data collection platform. The vulnerability exists in the submissions display functionality (/show/submissions endpoint) where user-supplied input is not properly sanitized before being rendered in the browser. This is a stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation), meaning malicious payloads persist in the backend and execute whenever the affected submission is viewed. The vulnerability affects all versions up to and including 1.9.3, as identified by the CPE string cpe:2.3:a:jhumanj:opnform:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade JhumanJ OpnForm to a version after 1.9.3 that includes the patched commit a2af1184e53953afa8cb052f4055f288adcaa608, which is available via the project's GitHub repository (https://github.com/JhumanJ/OpnForm/pull/900). The patch implements proper input sanitization for the /show/submissions endpoint. Until patching is feasible, restrict access to the submissions viewing functionality to authenticated users only, and implement content security policy (CSP) headers set-strict-dynamic and script-src directives to mitigate stored XSS impact - however, note that CSP alone will not prevent the vulnerability from triggering in older browsers or configurations without CSP support, so patching remains the primary remediation.

CVE-2025-11435 vulnerability details – vuln.today

Back