CVE-2025-22274

LOW

CyberArk Endpoint Privilege Manager <24.7.1 - XSS

Title source: llm

Description

It is possible to inject HTML code into the page content using the "content" field in the "Application definition" page. This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.

References (3)

[Various Sources] https://cert.pl/en/posts/2025/02/CVE-2025-22270/

[Various Sources] https://cert.pl/posts/2025/02/CVE-2025-22270/

[Various Sources] https://docs.cyberark.com/epm/24.7.1/en/content/resources/_topnav/cc_home.htm

Scores

CVSS v4 2.0

EPSS 0.0015

EPSS Percentile 35.3%

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-80

Status published

Products (1)

CyberArk/Endpoint Privilege Manager 24.7.1

Published Feb 28, 2025

Tracked Since Feb 18, 2026