Is there a public PoC exploit available for CVE-2025-12228?

Yes, a public proof-of-concept exploit is available for CVE-2025-12228. Prioritise patching immediately. EPSS: 0.0%.

projectworlds Expense Management System CVE-2025-12228

Q: What is the CVSS score of CVE-2025-12228?

CVE-2025-12228 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-10-27 cna@vuldb.com

XSS Expense Management System

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:19 vuln.today

DescriptionCVE.org

A vulnerability was identified in projectworlds Expense Management System 1.0. The impacted element is an unknown function of the file /public/admin/users/create of the component Users Page. The manipulation leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.

AnalysisAI

Stored cross-site scripting (XSS) in projectworlds Expense Management System 1.0 allows high-privileged authenticated users to inject malicious scripts via the /public/admin/users/create endpoint, which are executed in the browsers of other users viewing the affected page. The vulnerability requires administrator privileges and user interaction (clicking a link), significantly limiting exploitation scope despite remote accessibility and publicly available proof-of-concept code.

Technical ContextAI

The vulnerability exists in the Users Page creation functionality (/public/admin/users/create) within the projectworlds Expense Management System. The underlying issue is improper input validation and output encoding (CWE-79: Improper Neutralization of Input During Web Page Generation), allowing an attacker to embed malicious JavaScript code that persists in the application's data store. When other users access pages containing this user-controlled data, the JavaScript executes in their browser context without proper sanitization.

RemediationAI

Upgrade to a patched version if available from projectworlds (vendor advisory not accessible from provided references; contact projectworlds directly). Immediate workarounds include implementing content security policy (CSP) headers to restrict inline script execution, applying input validation on the /public/admin/users/create endpoint to reject or escape special characters, and encoding all user-supplied data in output contexts using context-appropriate encoding (HTML, JavaScript, URL encoding). Implement strict role-based access control to limit who can access the Users Page creation function. Disable administrator accounts that are not actively required. These mitigations reduce exposure while awaiting official patches.

CVE-2025-12228 vulnerability details – vuln.today

Back