Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Cross Site Scripting vulnerability in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code
AnalysisAI
Cross-site scripting (XSS) vulnerability in Hostbill versions 2025-11-24 and 2025-12-01 allows high-privilege remote attackers to execute arbitrary code in admin and client interface contexts without user interaction. The CVSS score of 4.9 reflects the requirement for authenticated high-privilege access, but the presence of publicly available exploit code and the vulnerability's presence in both admin and client interfaces increase real-world risk beyond the base score. The discrepancy between the CWE-79 classification (XSS) and tags indicating RCE capability suggests stored XSS enabling indirect code execution or privilege escalation within the application.
Technical ContextAI
This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic XSS flaw where untrusted user input is rendered in HTML/JavaScript contexts without proper sanitization or encoding. The vulnerability manifests in both Hostbill admin and client interfaces, indicating the XSS payload injection points exist in multiple application modules. The presence of RCE tags alongside XSS classification suggests the stored XSS may be chained with template injection, unsafe deserialization, or other backend execution mechanisms. The affected versions (2025-11-24 and 2025-12-01) are recent release cycles, indicating the vulnerability was introduced or discovered within weeks of the affected versions' deployment.
RemediationAI
Hostbill users should immediately upgrade to a patched version released after 2025-12-01. Check the Hostbill security advisory (https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/) for the exact patched version number and upgrade instructions. Until patching is feasible, apply the following mitigations: (1) Restrict network access to the Hostbill admin panel to a whitelist of trusted IP addresses or require VPN/bastion access - this eliminates remote exploitation for admin-tier XSS. (2) Implement Content Security Policy (CSP) headers prohibiting inline script execution and restricting script-src to trusted domains only; this may break existing functionality so test thoroughly before production deployment. (3) Disable or restrict client-interface features that are not actively used if they are the XSS vector. (4) Monitor Hostbill application logs for suspicious admin account activity or unusual script injections in stored fields (database queries, user-generated content). Note that these controls address the attack vector but do not eliminate the underlying vulnerability; patching is mandatory for complete remediation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25422
GHSA-xjv5-fr35-f76p