Strix
26.1K

CVE-2025-60249

MEDIUMCVSS 6.4/10EPSS 0.18%

Last modified

CVE-2025-60249 is a medium-severity vulnerability rated 6.4/10 on the CVSS scale. vulnerability-lookup 2.16.0 allows XSS in bundle.py, comment.py, and user.py, by a user on a vulnerability-lookup instance who can add bundles, comments, or sightings. A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Bundles, Comments, and Sightings components. EPSS estimates a 0.18% chance of exploitation in the next 30 days.

Description

vulnerability-lookup 2.16.0 allows XSS in bundle.py, comment.py, and user.py, by a user on a vulnerability-lookup instance who can add bundles, comments, or sightings. A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Bundles, Comments, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and improving input validation in the affected models.

Metrics

CVSS 3.1
6.4/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

EPSS Probability
0.18%

8.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

References

Timeline

Published
Last Modified
Status
Deferred

Frequently Asked Questions

What is CVE-2025-60249?
vulnerability-lookup 2.16.0 allows XSS in bundle.py, comment.py, and user.py, by a user on a vulnerability-lookup instance who can add bundles, comments, or sightings. A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Bundles, Comments, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and improving input validation in the affected models.
How severe is CVE-2025-60249?
CVE-2025-60249 has a CVSS score of 6.4/10 (MEDIUM severity). The EPSS model estimates a 0.18% probability of exploitation in the next 30 days.
How do I fix CVE-2025-60249?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-60249?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST