CVE-2025-23366 MEDIUM

CVE-2025-23366: Org.jboss.hal:hal-console: wildfly hal console cross-site scripting

Vendor Red Hat
Product Red Hat JBoss Data Grid 7
Weakness CWE-79 · XSS
Published January 14, 2025
Last update June 1, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”.

Key dates

02Disclosure timeline

January 14, 2025 CVE published
June 1, 2026 Record updated

Related vulnerabilities

04Related CVE