CVE-2025-41346 CRITICAL

CVE-2025-41346: Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este

Vendor Informatica Del Este
Product WinPlus
Weakness CWE-863 · Incorrect authorization
Published November 18, 2025
Last update February 18, 2026
View on NVD All CVEs

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application.

Key dates

02Disclosure timeline

November 18, 2025 CVE published
February 18, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2020-36625 destiny.gg chat main.go websocket.Upgrader cross-site request forgery CVE-2024-5705 Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization CVE-2026-44314 Traccar: Missing edit authorization on device image upload allows read-only users to write files CVE-2026-2462 Admin RCE via Malicious Plugin Upload on CI Test Instances CVE-2023-3586 Disabling publicly-shared boards does not disable existing publicly available board links