Is there a public PoC exploit available for CVE-2025-8206?

Yes, a public proof-of-concept exploit is available for CVE-2025-8206. Prioritise patching immediately. EPSS: 0.0%.

Comodo Dragon CVE-2025-8206

Q: What is the CVSS score of CVE-2025-8206?

CVE-2025-8206 has a CVSS 4.0 base score of 1.3 (Low). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-07-26 cna@vuldb.com

XSS Dragon

1.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.3 LOW

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:49 vuln.today

DescriptionCVE.org

A vulnerability, which was classified as problematic, was found in Comodo Dragon up to 134.0.6998.179. This affects an unknown part of the component IP DNS Leakage Detector. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting (XSS) in Comodo Dragon up to version 134.0.6998.179 affects the IP DNS Leakage Detector component, allowing remote attackers to inject malicious scripts. The vulnerability requires user interaction and involves high attack complexity, resulting in limited integrity impact. Public exploit code exists and the vendor has not responded to disclosure, though EPSS scoring (0.05%, 15th percentile) and lack of CISA KEV listing suggest low real-world exploitation likelihood despite proof-of-concept availability.

Technical ContextAI

The vulnerability resides in Comodo Dragon's IP DNS Leakage Detector component, a browser feature designed to detect DNS query leaks that might expose user privacy. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting). The root cause involves insufficient input sanitization or output encoding within the detector's web-based interface, allowing an attacker to inject arbitrary HTML or JavaScript that executes in the user's browser context. The affected product is Comodo Dragon for x64 architecture through version 134.0.6998.179, based on Chromium rendering engine.

RemediationAI

Update Comodo Dragon to a version newer than 134.0.6998.179 immediately, as this is the last confirmed vulnerable version. Vendor patch release version is not specified in available data; check Comodo's official website or browser update mechanism for the next available version. Until patching, users can mitigate by disabling or isolating the IP DNS Leakage Detector feature in browser settings if such an option exists, though this removes the privacy detection capability. Given the vendor's non-response to disclosure (per description), users should monitor security advisories and consider switching to actively maintained browsers (Chrome, Firefox, Edge) if Comodo Dragon security updates remain unavailable.

CVE-2025-8206 vulnerability details – vuln.today

Back