What is the CVSS score of CVE-2025-66486?

CVE-2025-66486 has a CVSS 3.1 base score of 4.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2025-66486?

Yes, a patch is available for CVE-2025-66486. Update the affected software to the latest version immediately.

IBM CVE-2025-66486

EUVD-2025-209184 MEDIUM

Basic XSS (CWE-80)

2026-04-01 ibm

GHSA-25px-gj7m-w9m3

XSS IBM

4.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Apr 01, 2026 - 23:16 euvd

EUVD-2025-209184

Analysis Generated

Apr 01, 2026 - 23:16 vuln.today

Patch released

Apr 01, 2026 - 23:16 nvd

Patch available

CVE Published

Apr 01, 2026 - 23:03 nvd

MEDIUM 4.8

DescriptionNVD

IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.

AnalysisAI

HTML injection in IBM Aspera Shares 1.9.9 through 1.11.0 allows authenticated remote attackers with high privileges to inject malicious HTML that executes in victim browsers within the hosting site's security context, requiring user interaction to view the injected content. CVSS 4.8 indicates low overall severity; patch is available from IBM.

Technical ContextAI

The vulnerability is rooted in CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a form of stored or reflected HTML injection. IBM Aspera Shares, an enterprise file sharing platform, fails to properly sanitize or escape user-supplied input before rendering it in HTML responses. When an authenticated user with high privileges (PR:H per CVSS vector) injects malicious HTML, the application renders it without sufficient output encoding. Unlike traditional XSS flaws that target JavaScript execution, HTML injection allows injection of arbitrary HTML elements, attributes, and structures. The attack succeeds only when a victim views the injected content (UI:R required), limiting its reach compared to automatic exploitation vectors.

RemediationAI

Vendor-released patch available from IBM. Users should upgrade to the patched version released after 1.11.0 using the guidance provided in the IBM support advisory at https://www.ibm.com/support/pages/node/7267848. In the interim, restrict high-privilege account access and monitor for suspicious HTML injection attempts in audit logs. Ensure multi-factor authentication is enabled for administrative accounts to reduce the risk of privilege escalation from lower-privilege compromise.

More from same product – last 7 days

CVE-2026-7524 CRITICAL Act Now

9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr

CVE-2026-8175 CRITICAL Act Now

9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra

CVE-2026-7876 CRITICAL Act Now

9.1 May 27

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu

CVE-2026-5065 HIGH This Week

8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded

CVE-2026-8179 HIGH This Week

8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

CVE-2025-66486 vulnerability details – vuln.today

Back