CVE-2025-66561 HIGH

CVE-2025-66561: SysReptor Vulnerable to an Authenticated Stored Cross-Site Scripting (XSS)

Vendor Syslifters

Product sysreptor

Weakness CWE-79 · XSS

Published December 4, 2025

Last update December 5, 2025

View on NVD All CVEs

CVSS base score

7.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

SysReptor is a fully customizable pentest reporting platform. Prior to 2025.102, there is a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated users to execute malicious JavaScript in the context of other logged-in users by uploading malicious JavaScript files in the web UI. This vulnerability is fixed in 2025.102.

Key dates

02Disclosure timeline

December 4, 2025 CVE published

December 5, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-66561 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-40989 Stored XSS in Creativeitem Ekushey CRM CVE-2022-29422 WordPress Countdown & Clock plugin <= 2.3.2 - Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities CVE-2024-47339 WordPress WP Mail Catcher plugin <= 2.1.9 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2023-37993 WordPress wpShopGermany IT-RECHT KANZLEI Plugin <= 1.7 is vulnerable to Cross Site Scripting (XSS) CVE-2024-2717 Campcodes Complete Online DJ Booking System booking-search.php cross site scripting