CVE-2025-41065

MEDIUM

LUNA 7.5.5.6 - Stored Cross-Site Scripting via Edit Batch Name Function

Title source: llm

Description

Stored Cross-Site Scripting (XSS) vulnerability type in LUNA software v7.5.5.6. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by inyecting a malicious payload through the 'Edit Batch Name' function. THe payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

References (1)

Core 1

Core References

Third Party Advisory

https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-luna-luna-imaging

Scores

CVSS v4 5.1

EPSS 0.0024

EPSS Percentile 15.4%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

Luna Imaging/LUNA 7.5.5.6

Published Feb 03, 2026

Tracked Since Feb 18, 2026