CVE-2025-40674 MEDIUM

CVE-2025-40674: Reflected Cross-Site Scripting (XSS) in osCommerce

Vendor Oscommerce

Product osCommerce

Weakness CWE-79 · XSS

Published June 17, 2025

Last update June 17, 2025

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Reflected Cross-Site Scripting (XSS) in osCommerce v4. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the name of any parameter in /watch/en/about-us. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

Key dates

02Disclosure timeline

June 17, 2025 CVE published

June 17, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-40674 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-43810 CVE-2023-1481 SourceCodester Monitoring of Students Cyber Accounts System POST Parameter cross site scripting CVE-2022-34656 WordPress Poll, Survey, Questionnaire and Voting system plugin <= 1.7.4 - Authenticated Cross-Site Scripting (XSS) vulnerability CVE-2024-54209 WordPress Awesome Shortcodes plugin <= 1.7.2 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-22675 WordPress Alert Box Block plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability