Is there a public PoC exploit available for CVE-2025-7871?

Yes, a public proof-of-concept exploit is available for CVE-2025-7871. Prioritise patching immediately. EPSS: 0.0%.

Portabilis i-Diario CVE-2025-7871

Q: What is the CVSS score of CVE-2025-7871?

CVE-2025-7871 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-07-20 cna@vuldb.com

XSS I Diario

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:23 vuln.today

DescriptionCVE.org

A vulnerability has been found in Portabilis i-Diario 1.5.0 and classified as problematic. This vulnerability affects unknown code of the file /conteudos. The manipulation of the argument filter[by_description] leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stored cross-site scripting (XSS) in Portabilis i-Diario 1.5.0 allows authenticated users to inject malicious scripts via the filter[by_description] parameter in the /conteudos endpoint, which are then reflected to other users. The vulnerability requires user interaction (UI:P) to trigger but has low confidentiality impact and publicly available exploit code; however, the extremely low EPSS score (0.05%) and vendor non-responsiveness suggest limited real-world exploitation despite disclosed POC.

Technical ContextAI

The vulnerability exists in the /conteudos endpoint of Portabilis i-Diario, an educational management system developed by Portabilis. The flaw is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) where user-supplied input in the filter[by_description] query parameter is not properly sanitized or HTML-encoded before being reflected in HTTP responses or stored in the application. This allows an attacker to inject arbitrary JavaScript code that executes in the context of other users' browsers. The attack requires login credentials (PR:L) but leverages the user interaction requirement (UI:P) to trick victims into clicking a malicious link containing the payload.

RemediationAI

No vendor-released patch identified at time of analysis. The vendor was reportedly contacted early but did not respond. Immediate mitigation options include: (1) Upgrade to a patched version if released post-disclosure by checking the Portabilis official repository; (2) Implement input validation on the filter[by_description] parameter to reject or sanitize special characters (< > " ' &); (3) Apply HTML entity encoding to all user-supplied input before rendering in responses; (4) Implement a Content Security Policy (CSP) header with script-src 'self' to prevent inline script execution (note: this may break legitimate application functionality if i-Diario uses inline scripts); (5) Restrict access to /conteudos endpoint via network-level controls or reverse proxy rules if the feature is not critical; (6) Educate users not to click suspicious links containing filter parameters. Given vendor non-responsiveness, consider migrating to alternative educational management systems if security patching is a requirement.

CVE-2025-7871 vulnerability details – vuln.today

Back