Roothub
CVE-2025-8211
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in Roothub up to 2.6. It has been declared as problematic. Affected by this vulnerability is the function Edit of the file src/main/java/cn/roothub/web/admin/SystemConfigAdminController.java. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Roothub versions up to 2.6 contain a reflected cross-site scripting (XSS) vulnerability in the SystemConfigAdminController Edit function that allows authenticated users to inject malicious scripts via the web interface. The vulnerability requires user interaction (clicking a malicious link) and authenticated access, limiting its practical impact despite network-accessible delivery. Publicly available exploit code exists, though real-world exploitation risk is low given the EPSS score of 0.06% and the authentication barrier.
Technical ContextAI
The vulnerability exists in the Edit function of src/main/java/cn/roothub/web/admin/SystemConfigAdminController.java, a Java web controller handling system configuration updates. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating that user-supplied input is reflected in HTTP responses without proper HTML encoding or sanitization. The attack vector is network-based (AV:N), but exploitation requires prior authentication (PR:L) and user interaction (UI:P), meaning a victim must click a crafted link while authenticated. The vulnerability affects the Roothub application itself rather than an underlying framework or library.
RemediationAI
Upgrade Roothub to a version newer than 2.6 if a patched release is available from the Roothub project. If no patched version exists, immediately implement input validation and output encoding in the SystemConfigAdminController Edit function by: (1) validating all user inputs against a whitelist of acceptable characters and rejecting any containing HTML metacharacters or script tags; (2) HTML-encoding all reflected output using a secure encoding library (e.g., OWASP ESAPI) before rendering in responses; (3) implementing Content Security Policy (CSP) headers to prevent inline script execution as a defense-in-depth layer. Restrict administrative access to the SystemConfigAdminController to a minimal set of trusted administrators using network-level controls or role-based access lists. Consult the Roothub project repository and VulDB (vuldb.com/?id.317779) for patch availability and additional remediation guidance.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today