Skip to main content

Globe Document Intelligence CVE-2025-65640

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-04 mitre
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 04, 2026 - 21:33 vuln.today
CVSS changed
Jun 04, 2026 - 20:22 NVD
6.3 (MEDIUM)
CVE Published
Jun 04, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Cross Site Scripting (XSS) vulnerability in the "Task in Progress / Recent" page in Arket Globe Document Intelligence 5.0.0.559 due to improper sanitization of user input in text fields when creating a new document. Specifically, when an authenticated attacker submits data containing JavaScript code within these fields, the application fails to properly sanitize or escape the content. As a result, the injected script is executed when the page is rendered, allowing the attacker to execute arbitrary JavaScript in the context of other users' browsers who view the affected page.

AnalysisAI

Stored cross-site scripting in Arket Globe Document Intelligence 5.0.0.559 enables authenticated low-privilege attackers to inject persistent JavaScript payloads into document text fields, which execute in the browsers of other users viewing the 'Task in Progress / Recent' page. The CVSS High confidentiality impact (C:H) reflects the realistic risk of session token theft or account takeover against higher-privileged users such as administrators. Publicly available exploit code exists on GitHub (vincenzo-emanuele/CVE-2025-65640), and while no CISA KEV listing is present, the SSVC framework confirms exploitation-class proof-of-concept activity.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: user-supplied input submitted during document creation is neither sanitized nor HTML-escaped before being rendered into the DOM on the 'Task in Progress / Recent' page, resulting in stored XSS. The attack surface is the document management workflow of Arket Globe Document Intelligence, a document intelligence platform. Because the payload persists server-side and fires on page render for any visiting user, this is a stored (persistent) XSS variant - more impactful than reflected XSS since it does not require tricking a victim into clicking a crafted link. The CPE string provided (cpe:2.3:a:n/a:n/a) is generic and not product-specific, so affected version identification relies exclusively on the CVE description citing version 5.0.0.559.

RemediationAI

No vendor-released patch has been identified at time of analysis. Organizations should monitor the Arket vendor site (https://www.arket.it/) for a patched release addressing this stored XSS. As compensating controls: implement a strict Content Security Policy (CSP) header with 'script-src self' to block inline script execution - note this may break legitimate functionality and requires application testing before deployment. Deploy WAF rules targeting XSS payloads (script tags, JavaScript event handler attributes) on document creation endpoints; this reduces risk but may cause false positives on legitimate rich-text content. Restrict document creation privileges to the minimum necessary set of users, reducing the pool of potential attackers. The public PoC at https://github.com/vincenzo-emanuele/CVE-2025-65640 can be used to validate whether compensating controls are effective before a vendor patch is available.

Share

CVE-2025-65640 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy