CVE-2025-59901 HIGH

CVE-2025-59901: authenticated reflected XSS vulnerability in Sync Breeze Enterprise Server

Vendor Flexense
Product Sync Breeze Enterprise Server
Weakness CWE-352 · CSRF
Published January 28, 2026
Last update January 28, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Disk Pulse Enterprise v10.4.18 has an authenticated reflected XSS vulnerability in the '/monitor_directory?sid=' endpoint, caused by insufficient validation of the 'monitor_directory' parameter sent by POST. An attacker could exploit this weakness to send malicious content to an authenticated user and steal information from their session.

Key dates

02Disclosure timeline

January 28, 2026 CVE published
January 28, 2026 Record updated