CVE-2025-25461

MEDIUM

Seeddms - XSS

Title source: rule

Description

A Stored Cross-Site Scripting (XSS) vulnerability exists in SeedDMS 6.0.29. A user or rogue admin with the "Add Category" permission can inject a malicious XSS payload into the category name field. When a document is subsequently associated with this category, the payload is stored on the server and rendered without proper sanitization or output encoding. This results in the XSS payload executing in the browser of any user who views the document.

Exploits (1)

nomisec WRITEUP 2 stars

by RoNiXxCybSeC0101 · poc

https://github.com/RoNiXxCybSeC0101/CVE-2025-25461

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://github.com/RoNiXxCybSeC0101/CVE-2025-25461

[Product] https://www.seeddms.org/

Scores

CVSS v3 5.4

EPSS 0.0025

EPSS Percentile 48.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

seeddms/seeddms 6.0.29

Published Feb 28, 2025

Tracked Since Feb 18, 2026