CVE-2025-8386 MEDIUM

CVE-2025-8386: AVEVA Application Server IDE Basic Cross-site Scripting

Vendor Aveva
Product Application Server
Weakness CWE-80 · XSS · basic
Published November 14, 2025
Last update November 17, 2025

CVSS base score

6.9/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L

What the vulnerability does

01Description

The vulnerability, if exploited, could allow an authenticated miscreant (with privilege of "aaConfigTools") to tamper with App Objects' help files and persist a cross-site scripting (XSS) injection that when executed by a victim user, can result in horizontal or vertical escalation of privileges. The vulnerability can only be exploited during config-time operations within the IDE component of Application Server. Run-time components and operations are not affected.

Key dates

02Disclosure timeline

November 14, 2025 CVE published
November 17, 2025 Record updated