Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in arbitrary JavaScript execution in the victim's browser. Critically, this may allow the attacker to obtain the administrator authentication token and perform arbitrary actions with administrative privileges, which could lead to further compromise.
This issue occurs in versions released before December 2025.
AnalysisAI
Stored XSS in AdaptiveGRC text-type form fields allows authenticated attackers to inject malicious JavaScript that executes in victims' browsers, potentially leading to theft of administrator authentication tokens and privilege escalation. The vulnerability affects multiple versions released before December 2025 due to improper server-side parameter validation. User interaction is required for exploitation, and the attacker must first authenticate to the application.
Technical ContextAI
AdaptiveGRC is a governance, risk, and compliance (GRC) platform that processes form submissions across multiple modules. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), where text-type form fields accept user input in HTTP POST requests but fail to properly sanitize or encode the values before storing them in the application database. When the stored payload is later rendered in victims' browsers, the unescaped JavaScript executes in their security context. The attacker must be an authenticated user with form submission privileges, but the actual injection occurs via direct HTTP parameter manipulation rather than the normal application UI, bypassing client-side controls. The administrative token theft vector indicates the application likely stores session tokens in DOM-accessible locations or cookies without HttpOnly flags, making them targets for JavaScript exfiltration.
RemediationAI
Vendor-released patch: Update AdaptiveGRC to the patched version corresponding to your release branch as specified in the ENISA EUVD-2026-25414 and CERT-PL advisory. For example, upgrade 5.420.x to 5.420.66 or later, 5.444.x to 5.444.119 or later, and so on for all affected branches. If immediate patching is not feasible, implement compensating controls: enforce Content Security Policy (CSP) headers with script-src 'self' to restrict JavaScript execution to whitelisted sources, reducing XSS impact even if payload is stored; enable HttpOnly and Secure flags on all session cookies to prevent JavaScript-based token theft; restrict form submission permissions to trusted internal users only via role-based access control; monitor HTTP POST requests to form endpoints for suspicious payloads containing script tags or event handlers; and deploy a Web Application Firewall (WAF) with XSS detection rules to block requests containing common injection patterns. Note that WAF-based mitigation may generate false positives if legitimate form data contains angle brackets or quotes; coordinate with application teams before deployment. The CSP mitigation is the most effective short-term control and carries no functional side effects. Complete remediation requires patching, as compensating controls only reduce (not eliminate) exploitation risk.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25414
GHSA-r3x8-5j74-9fg2