CVE-2025-40647 MEDIUM

CVE-2025-40647: Stored Cross-Site Scripting (XSS) vulnerability in Issabel products

Vendor Issabel-Pbx Module

Product Issabel

Weakness CWE-79 · XSS

Published October 1, 2025

Last update October 1, 2025

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Stored Cross-Site Scripting (XSS) vulnerability in Issabel v5.0.0, consisting of a stored XSS due to a lack of proper validation of user input, through the 'email' parameter in '/index.php?menu=address_book'.

Key dates

02Disclosure timeline

October 1, 2025 CVE published

October 1, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-40647 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2026-27126 Craft CMS has Stored XSS in Table Field via "HTML" Column Type CVE-2026-2389 Complianz – GDPR/CCPA Cookie Consent <= 7.4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Content Filter CVE-2025-11808 Shortcode for Google Street View <= 0.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2025-23674 WordPress Bit.ly linker plugin <= 1.1 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-47297 WordPress Polls CP plugin <= 1.0.74 - Reflected Cross Site Scripting (XSS) vulnerability

Identifiers

CVE CVE-2025-40647

CWE CWE-79

CVSS 5.1 / MEDIUM

Affected versions

Vendor Issabel-Pbx Module

Product Issabel

Affected < 5.0.0-2

Vendor Issabel, Issabel-Agenda Module

Product Issabel

Affected < 5.0.0-4