CVE-2025-41089 MEDIUM

CVE-2025-41089: Reflected Cross-Site Scripting (XSS) in CMS

Vendor Xibo Signage
Product Xibo CMS
Weakness CWE-79 · XSS
Published October 10, 2025
Last update October 10, 2025
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Reflected Cross-Site Scripting (XSS) in Xibo CMS v4.1.2 from Xibo Signage, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add an element that has the 'Configuration Name' field, such as the 'Clock' widget. Next, modify the 'Configuration Name' field in the left-hand section.

Key dates

02Disclosure timeline

October 10, 2025 CVE published
October 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-27996 WordPress Survey Maker plugin <= 4.0.5 - Cross Site Scripting (XSS) vulnerability CVE-2024-11759 Bukza <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-11884 Cross-site Scripting vulnerability discovered in OpenText™ Universal Discovery and CMDB CVE-2017-9394 CVE-2024-12463 Arena.IM – Live Blogging for real-time events <= 0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via arena_embed_amp Shortcode