CVE-2025-36748

MEDIUM

Growatt ShineLan-X Firmware 3.6.0.0-3.6.0.1 - Stored Cross-Site Scripting in Communication Module Settings

Title source: llm
STIX 2.1

Description

ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code.

References (1)

Core 1
Core References
Third Party Advisory third-party-advisory
https://csirt.divd.nl/CVE-2025-36748/

Scores

CVSS v3 5.4
EPSS 0.0013
EPSS Percentile 3.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
growatt/shine_lan-x_firmware 3.6.0.0 - 3.6.0.2
Published Dec 13, 2025
Tracked Since Feb 18, 2026