CVE-2019-25448

MEDIUM

OrientDB 3.0.17 - Authenticated Stored Cross-Site Scripting via User Creation Name Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25448. PoCs published by Ozer Goker.

AI-analyzed exploit summary The exploit demonstrates multiple CSRF and XSS vulnerabilities in OrientDB 3.0.17 GA Community Edition. It includes detailed HTTP requests for creating/deleting databases, managing users, and executing stored/reflected XSS payloads.

Description

OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Attackers can send POST requests to the document endpoint with JavaScript code in the name field to execute arbitrary scripts when users view the application.

Exploits (1)

exploitdb WORKING POC
by Ozer Goker · textwebappsmultiple
https://www.exploit-db.com/exploits/46517

The exploit demonstrates multiple CSRF and XSS vulnerabilities in OrientDB 3.0.17 GA Community Edition. It includes detailed HTTP requests for creating/deleting databases, managing users, and executing stored/reflected XSS payloads.

Classification
Working Poc 95%
Attack Type
Xss | Csrf
Complexity
Trivial
Reliability
Reliable
Target: OrientDB 3.0.17 GA Community Edition
Auth required
Prerequisites: Access to OrientDB web interface · Valid session cookie or authentication credentials
devstral-2 · analyzed Feb 21, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/46517
Various Sources product
https://orientdb.dev/

Scores

CVSS v3 6.4
EPSS 0.0025
EPSS Percentile 16.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
orientdb/orientdb 3.0.17
Orientdb/OrientDB 3.0.17
Published Feb 20, 2026
Tracked Since Feb 21, 2026