CVE-2025-9796 MEDIUM

CVE-2025-9796: thinkgem JeeSite EncodeUtils.java decodeUrl2 cross site scripting

Vendor Thinkgem

Product JeeSite

Weakness CWE-79 · XSS

Published September 1, 2025

Last update September 2, 2025

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A vulnerability was found in thinkgem JeeSite up to 5.12.1. This affects the function decodeUrl2 of the file common/src/main/java/com/jeesite/common/codec/EncodeUtils.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 5.13.0 mitigates this issue. The patch is identified as 63773c97a56bdb3649510e83b66c16db4754965b. Upgrading the affected component is recommended.

Key dates

Disclosure timeline

September 1, 2025 CVE published

September 2, 2025 Record updated

Identifiers

CVE CVE-2025-9796

CWE CWE-79

CVSS 5.1 / MEDIUM

Affected versions

Vendor Thinkgem

Product JeeSite

Affected 5.12.0

Vendor Thinkgem

Product JeeSite

Affected 5.12.1