Is there a public PoC exploit available for CVE-2025-11946?

Yes, a public proof-of-concept exploit is available for CVE-2025-11946. Prioritise patching immediately. EPSS: 0.0%.

LogicalDOC Community Edition CVE-2025-11946

Q: What is the CVSS score of CVE-2025-11946?

CVE-2025-11946 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-10-19 cna@vuldb.com

XSS Logicaldoc

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:19 vuln.today

DescriptionCVE.org

A security flaw has been discovered in LogicalDOC Community Edition up to 9.2.1. This issue affects some unknown processing of the file /frontend.jsp of the component Add Contact Page. Performing manipulation of the argument First Name/Last Name/Company/Address/Phone/Mobile results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting (XSS) in LogicalDOC Community Edition up to 9.2.1 allows authenticated attackers with user interaction to inject malicious scripts via contact form fields (First Name, Last Name, Company, Address, Phone, Mobile) on the /frontend.jsp Add Contact Page. Publicly available exploit code exists; EPSS score of 0.03% reflects low real-world exploitation probability despite public POC, likely due to authentication and user interaction requirements.

Technical ContextAI

The vulnerability is a reflected or stored cross-site scripting (CWE-79) flaw in the Add Contact Page component accessible via /frontend.jsp in LogicalDOC Community Edition. User-supplied input from contact form fields is not properly sanitized or HTML-encoded before being processed and displayed back to users. The CPE indicates LogicalDOC Community Edition versions up to 9.2.1 are affected. XSS attacks exploit insufficient input validation in web applications, allowing attackers to execute arbitrary JavaScript in the victim's browser context, typically used for session hijacking, credential theft, or malware delivery.

RemediationAI

No vendor-released patch has been confirmed at time of analysis, as the vendor did not respond to disclosure attempts. Users should immediately upgrade to a version newer than 9.2.1 once available. As compensating controls, restrict access to the Add Contact Page to trusted internal users only via network-level access controls or firewall rules limiting /frontend.jsp to specific IP ranges. Implement Content Security Policy (CSP) headers to prevent inline script execution, which will mitigate reflected XSS impact even if the input validation flaw persists. Apply Web Application Firewall (WAF) rules to sanitize input to contact form fields by blocking common XSS payloads in First Name, Last Name, Company, Address, Phone, and Mobile parameters. These controls reduce exploitability but do not eliminate the underlying flaw.

CVE-2025-11946 vulnerability details – vuln.today

Back