CVE-2025-41681 MEDIUM

CVE-2025-41681: Persistent Cross-Site Scripting via POST Requests Due to Improper Neutralization of Input

Vendor Mb Connect Line

Product mbNET.mini

Weakness CWE-79 · XSS

Published July 21, 2025

Last update November 3, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

A high privileged remote attacker can gain persistent XSS via POST requests due to improper neutralization of special elements used to create dynamic content.

Key dates

02Disclosure timeline

July 21, 2025 CVE published

November 3, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-41681

Related vulnerabilities

04Related CVE

CVE-2023-24398 WordPress EZP Coming Soon Page Plugin <= 1.0.7.3 is vulnerable to Cross Site Scripting (XSS) CVE-2026-28754 Stored XSS Vulnerability CVE-2025-53422 WordPress WhatsApp Chat for WordPress and WooCommerce plugin <= 1.2.1 - Cross Site Scripting (XSS) vulnerability CVE-2026-40607 MantisBT is Vulnerable to Stored XSS Through its Saved-Filter Owner Column CVE-2024-3732 GeoDirectory – WordPress Business Directory Plugin, or Classified Directory <= 2.3.48 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'gd_single_tabs' Shortcode

Identifiers

CVE CVE-2025-41681

CWE CWE-79

CVSS 4.8 / MEDIUM

Affected versions

Vendor Mb Connect Line

Product mbNET.mini

Affected ≥ 0.0.0 and < 2.3.3

Vendor Helmholz

Product REX 100

Affected ≥ 0.0.0 and < 2.3.3