CVE-2025-42620

| EUVD-2025-201710 HIGH
2025-12-08 a6d3dc9e-0591-4a13-bce7-0f5b31ff6158
XSS
8.3
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
A

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:23 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
patch_available
Apr 16, 2026 - 05:29 EUVD
2.18.0
Analysis Generated
Mar 15, 2026 - 17:54 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 17:54 euvd
EUVD-2025-201710
CVE Published
Dec 08, 2025 - 13:15 nvd
HIGH 8.3

DescriptionNVD

In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS).

On the backend, the related_vulnerabilities field of bundles accepted arbitrary strings without format validation or proper sanitization. On the frontend, comment and bundle descriptions were converted from Markdown to HTML and then injected directly into the DOM using string templates and innerHTML. This combination allowed an attacker who could create or edit comments or bundles to store crafted HTML/JavaScript payloads which would later be rendered and executed in the browser of any user visiting the affected profile page (user.html).

This issue affects Vulnerability-Lookup: before 2.18.0.

AnalysisAI

In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS).

On the backend, the related_vulnerabilities field of bundles accepted arbitrary strings without format validation or proper sanitization. On the frontend, comment and bundle descriptions were converted from Markdown to HTML and then injected directly into the DOM using string templates and innerHTML. This combination allowed an attacker who could create or edit comments or bundles to store crafted HTML/JavaScript payloads which would later be rendered and executed in the browser of any user visiting the affected profile page (user.html).

This issue affects Vulnerability-Lookup: before 2.18.0.

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

Share

CVE-2025-42620 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy