CVE-2019-25381 MEDIUM

CVE-2019-25381: Smoothwall Express 3.1 'hosts.cgi' Cross-Site Scripting

Vendor Smoothwall
Product Smoothwall Express
Weakness CWE-79 · XSS
Published February 16, 2026
Last update March 5, 2026
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Smoothwall Express 3.1-SP4-polar-x86_64-update9 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. Attackers can submit POST requests to the hosts.cgi endpoint with script payloads in the IP, HOSTNAME, or COMMENT parameters to execute arbitrary JavaScript in users' browsers.

Key dates

02Disclosure timeline

February 16, 2026 CVE published
March 5, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-22692 WordPress Sponsered Link plugin <= 4.0 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-29803 WordPress FlatPM plugin < 3.1.05 - Cross Site Scripting (XSS) vulnerability CVE-2024-3377 SourceCodester Computer Laboratory Management System cross site scripting CVE-2021-24621 WP Courses LMS < 2.0.44 - Authenticated Stored XSS via Video Embed Code CVE-2023-48301 Nextcloud Server HTML injection in search UI when selecting a circle with HTML in the display name