What is the CVSS score of EUVD-2025-200242?

EUVD-2025-200242 has a CVSS 3.1 base score of 3.5 (Low). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Debian are affected by EUVD-2025-200242?

CVE-2025-65858 is a low-severity vulnerability in Calibre-Web involving cross-site scripting (CVSS 3.5).

Is there a public PoC exploit available for EUVD-2025-200242?

Yes, a public proof-of-concept exploit is available for EUVD-2025-200242. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate EUVD-2025-200242?

During next maintenance window: Apply vendor patches when convenient. Verify cross-site scripting controls are in place.

Debian EUVD-2025-200242

| CVE-2025-65858 LOW

Cross-site Scripting (XSS) (CWE-79)

2025-12-02 cve@mitre.org

GHSA-pc5g-j9j7-p4q3

XSS Debian

3.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

3.5 LOW

AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 14:04 euvd

EUVD-2025-200242

Analysis Generated

Mar 15, 2026 - 14:04 vuln.today

PoC Detected

Dec 23, 2025 - 13:08 vuln.today

Public exploit code

CVE Published

Dec 02, 2025 - 14:16 nvd

LOW 3.5

DescriptionCVE.org

A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed.

Analysis

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

Vendor StatusVendor

Debian

Bug #982690

calibre-web

Release	Status	Fixed Version	Urgency
	open	-	-

EUVD-2025-200242 vulnerability details – vuln.today

Back