Is there a public PoC exploit available for CVE-2025-12229?

Yes, a public proof-of-concept exploit is available for CVE-2025-12229. Prioritise patching immediately. EPSS: 0.0%.

projectworlds Expense Management System CVE-2025-12229

Q: What is the CVSS score of CVE-2025-12229?

CVE-2025-12229 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-10-27 cna@vuldb.com

XSS Expense Management System

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:30 vuln.today

DescriptionCVE.org

A security flaw has been discovered in projectworlds Expense Management System 1.0. This affects an unknown function of the file /public/admin/roles/create of the component Roles Page. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.

AnalysisAI

Stored cross-site scripting (XSS) in projectworlds Expense Management System 1.0 allows authenticated high-privilege users to inject malicious scripts via the Roles Page create endpoint (/public/admin/roles/create), which are then reflected to other users. The vulnerability requires high-privilege authentication and user interaction to trigger, limiting real-world exploitation despite public POC availability and network accessibility.

Technical ContextAI

The vulnerability exists in the Roles Page creation component of the Expense Management System, specifically in the /public/admin/roles/create endpoint. The underlying issue is improper input sanitization or output encoding (CWE-79) in a web application context. The flaw allows malicious HTML/JavaScript to be submitted through a web form without adequate validation, persisting in the application's database or being reflected in subsequent responses. This is a classic XSS vulnerability where user-controlled input reaches the DOM without proper escaping, allowing script execution in the context of the victim's browser session.

RemediationAI

Immediate remediation requires contacting projectworlds for a patched version, as no public patch information is available in the provided data. As a compensating control, restrict administrative access to the /public/admin/roles/create endpoint to a minimal set of trusted administrators and implement IP whitelisting if possible, reducing the pool of potential attackers. Apply strong Content Security Policy (CSP) headers to prevent inline script execution and restrict script sources to trusted domains, mitigating XSS impact even if injection occurs. Implement input validation on the roles creation form to reject or sanitize special characters and HTML entities, and apply output encoding to all reflected data using context-appropriate encoding (HTML entity encoding for HTML context). Enable security auditing on administrative functions to detect suspicious role creation activity. Contact projectworlds for security updates and consider evaluating alternative expense management solutions if patches are not forthcoming.

CVE-2025-12229 vulnerability details – vuln.today

Back