CVE-2025-26202

MEDIUM

DZS Router - XSS

Title source: llm

Description

Cross-Site Scripting (XSS) vulnerability exists in the WPA/WAPI Passphrase field of the Wireless Security settings (2.4GHz & 5GHz bands) in DZS Router Web Interface. An authenticated attacker can inject malicious JavaScript into the passphrase field, which is stored and later executed when an administrator views the passphrase via the "Click here to display" option on the Status page

Exploits (1)

nomisec WRITEUP 2 stars

by A17-ba · poc

https://github.com/A17-ba/CVE-2025-26202-Details

View Code ZIP pw:eip

References (1)

[Various Sources] https://github.com/A17-ba/CVE-2025-26202-Details

Scores

CVSS v3 4.3

EPSS 0.0013

EPSS Percentile 32.5%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Published Mar 04, 2025

Tracked Since Feb 18, 2026