CVE-2025-32019 MEDIUM

CVE-2025-32019: Harbor's repository description page allows for XSS

Vendor Goharbor
Product harbor
Weakness CWE-79 · XSS
Published July 23, 2025
Last update July 23, 2025
View on NVD All CVEs

CVSS base score

4.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3.

Key dates

02Disclosure timeline

July 23, 2025 CVE published
July 23, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-4895 wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 3.4.2.12 - Unauthenticated Stored Cross-Site Scripting via CSV Import CVE-2026-33303 OpenEMR Vulnerable to Stored XSS via Unescaped portal_login_username in Credential Print View CVE-2023-28639 GLPI vulnerable to reflected Cross-site Scripting in search pages CVE-2025-13903 PullQuote <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes CVE-2025-1175 Cross-Site Scripting (XSS) vulnerability in Kelio Visio