Skip to main content

Suse CVE-2025-45806

| EUVDEUVD-2025-209373 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-09 mitre
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 09, 2026 - 14:15 euvd
EUVD-2025-209373
Analysis Generated
Apr 09, 2026 - 14:15 vuln.today
CVE Published
Apr 09, 2026 - 00:00 nvd
MEDIUM 6.1

DescriptionCVE.org

A cross-site scripting (XSS) vulnerability in rrweb-snapshot before v2.0.0-alpha.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

AnalysisAI

rrweb-snapshot before v2.0.0-alpha.18 contains a reflected cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript or HTML in a victim's browser context through a crafted payload. The vulnerability requires user interaction (clicking a malicious link) and affects client-side snapshot capture functionality. Publicly available exploit code exists according to CISA SSVC assessment, though active exploitation has not been confirmed at time of analysis.

Technical ContextAI

rrweb-snapshot is a JavaScript library for capturing and replaying web page state, commonly used in session recording and debugging applications. The vulnerability stems from inadequate input sanitization in the snapshot rendering pipeline, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The library processes DOM elements and user-supplied data without sufficient XSS filters before injecting content into the DOM, allowing malicious script tags or event handlers to execute in the context of pages using the library. This affects the client-side snapshot capture mechanism used to serialize page state.

RemediationAI

Upgrade rrweb-snapshot to version v2.0.0-alpha.18 or later. Users should update their dependency to the patched version through npm or their package manager of choice. If immediate patching is not feasible, implement Content Security Policy (CSP) headers with script-src directives to mitigate XSS execution in the context where rrweb-snapshot is deployed. Refer to the upstream repository issue tracker at https://github.com/rrweb-io/rrweb/issues/1817 for additional technical details and patch confirmation.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Module for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed
SUSE Linux Enterprise Module for SAP Applications 15 SP3 Fixed

Share

CVE-2025-45806 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy