CVE-2025-40648 MEDIUM

CVE-2025-40648: Stored Cross-Site Scripting (XSS) vulnerability in Issabel products

Vendor Issabel-Pbx Module

Product Issabel

Weakness CWE-79 · XSS

Published October 1, 2025

Last update October 1, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Stored Cross-Site Scripting (XSS) vulnerability in Issabel v5.0.0, consisting of a stored XSS due to a lack of proper validation of user input, through the 'numero_conferencia' parameter in '/index.php?menu=conferencia'.

Key dates

02Disclosure timeline

October 1, 2025 CVE published

October 1, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-40648 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-23767 WordPress Marmoset Viewer plugin <= 1.9.3 - Stored Cross Site Scripting (XSS) vulnerability CVE-2019-25095 kakwa LdapCherry URL cross site scripting CVE-2025-4223 Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.0 - Reflected Cross-Site Scripting via login_url Parameter CVE-2025-39572 WordPress Checkout for PayPal plugin <= 1.0.38 - Cross Site Scripting (XSS) Vulnerability CVE-2025-23032 Cross-Site Scripting (XSS) Stored endpoint 'adicionar_escala.php' parameter 'escala' in WeGIA

Identifiers

CVE CVE-2025-40648

CWE CWE-79

CVSS 4.8 / MEDIUM

Affected versions

Vendor Issabel-Pbx Module

Product Issabel

Affected < 5.0.0-2

Vendor Issabel, Issabel-Agenda Module

Product Issabel

Affected < 5.0.0-4