Skip to main content

Reebox CVE-2026-25354

| EUVDEUVD-2026-15671 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-8f6c-5r4r-c5w9
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:15 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.4.8
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15671
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Reebox reebox allows Reflected XSS.This issue affects Reebox: from n/a through < 1.4.8.

AnalysisAI

A reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Reebox WordPress theme due to improper neutralization of user input during web page generation. This vulnerability affects Reebox versions prior to 1.4.8, allowing attackers to inject malicious scripts that execute in the context of a victim's browser when they click a crafted link. While CVSS and EPSS scores are not publicly available, the CWE-79 classification and Patchstack reporting indicate this is a confirmed, real vulnerability with active disclosure through the EUVD database (EUVD-2026-15671).

Technical ContextAI

The vulnerability is rooted in CWE-79: Improper Neutralization of Input During Web Page Generation, commonly known as reflected XSS. The Reebox theme (CPE: cpe:2.3:a:skygroup:reebox:*:*:*:*:*:*:*:*) is a WordPress theme component that generates dynamic web pages. The root cause is the failure to sanitize or escape user-supplied input before rendering it in HTML responses. An attacker can craft a malicious URL containing JavaScript code that, when processed by Reebox during page generation, is reflected back to the user's browser without proper encoding or filtering, causing the malicious script to execute with the privileges of the vulnerable web application.

RemediationAI

Immediately upgrade the Reebox theme to version 1.4.8 or later, which includes the security patch. Site administrators should navigate to their WordPress dashboard, access the Themes section, and update Reebox to the patched version. For environments where immediate patching is not feasible, implement input validation and output encoding at the application level by adding custom WordPress filters to sanitize reflected parameters, and consider deploying a Web Application Firewall (WAF) with XSS detection rules. Additionally, enforce Content Security Policy (CSP) headers to restrict inline script execution and mitigate reflected XSS impact. Refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/reebox/vulnerability/wordpress-reebox-theme-1-4-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for version-specific patch details and timing.

Share

CVE-2026-25354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy