CVE-2025-36748 HIGH

CVE-2025-36748: Stored Cross-Site Scripting (XSS) vulnerability in Growatt ShineLan-X

Vendor Growatt

Product ShineLan-X

Weakness CWE-79 · XSS

Published December 13, 2025

Last update December 16, 2025

View on NVD All CVEs

CVSS base score

8.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L

What the vulnerability does

01Description

ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code.

Key dates

02Disclosure timeline

December 13, 2025 CVE published

December 16, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-36748 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2025-36748: Stored Cross-Site Scripting (XSS) vulnerability in Growatt ShineLan-X

01Description

02Disclosure timeline

03References

04Related CVE