Is there a public PoC exploit available for CVE-2025-8222?

Yes, a public proof-of-concept exploit is available for CVE-2025-8222. Prioritise patching immediately. EPSS: 0.0%.

JPACookieShop CVE-2025-8222

Q: What is the CVSS score of CVE-2025-8222?

CVE-2025-8222 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-07-27 cna@vuldb.com

XSS Jpacookieshop

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:50 vuln.today

DescriptionCVE.org

A vulnerability, which was classified as problematic, has been found in jerryshensjf JPACookieShop 蛋糕商城JPA版 up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. Affected by this issue is some unknown functionality of the file GoodsController.java. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. Multiple endpoints are affected.

AnalysisAI

Stored cross-site scripting (XSS) in JPACookieShop GoodsController allows authenticated users to inject malicious scripts that execute in other users' browsers, with public exploit code available and CVSS 2.0 reflecting low impact due to required user interaction and authenticated access prerequisites.

Technical ContextAI

JPACookieShop is a Java-based e-commerce platform using JPA (Java Persistence API) for data access. The vulnerability exists in GoodsController.java, a Spring MVC controller component that handles product-related HTTP requests. The root cause (CWE-79: Improper Neutralization of Input During Web Page Generation) indicates inadequate input sanitization on product data endpoints before rendering to HTML templates. Stored XSS vulnerabilities in e-commerce platforms typically arise when user-supplied data (product names, descriptions, reviews) is persisted to a database and later rendered without HTML entity encoding or content security policy enforcement.

RemediationAI

No specific patched version is identifiable due to the continuous delivery model; coordinate with jerryshensjf project maintainers via GitHub to confirm if fixes have been merged to the main branch post-disclosure (check https://github.com/Bemcliu/cve-reports and the official JPACookieShop repository for remediation commits). Immediate compensating controls: (1) Implement strict HTML entity encoding on all product data (name, description, attributes) in GoodsController response templates using a templating engine with auto-escaping enabled (e.g., Thymeleaf with th:text instead of th:utext); (2) Deploy a Content Security Policy (CSP) header restricting inline scripts (Content-Security-Policy: default-src 'self'; script-src 'self') to prevent payload execution; (3) Restrict authenticated user access to GoodsController endpoints via role-based access control if editing product data is admin-only; (4) Conduct input validation on product fields server-side to reject or sanitize special characters before persistence. Trade-off: CSP may break legitimate product display features if inline event handlers are used; coordinate template refactoring accordingly.

CVE-2025-8222 vulnerability details – vuln.today

Back