CVE-2025-41088

MEDIUM

Xibo CMS < 4.2.2 - Stored Cross-Site Scripting via Template Text Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-41088. PoCs published by Marinafabregat.

AI-analyzed exploit summary This repository contains a detailed proof-of-concept for CVE-2025-41088, a stored XSS vulnerability in Xibo CMS v4.1.2. The exploit demonstrates how an authenticated attacker can inject malicious scripts into templates, which execute when viewed by other users.

Description

Stored Cross-Site Scripting (XSS) in Xibo Signage's Xibo CMS v4.1.2, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add a text element in the 'Global Elements' section, and finally modify the 'Text' field in the section with the malicious payload.

Exploits (1)

nomisec WORKING POC 5 stars
by Marinafabregat · poc
https://github.com/Marinafabregat/CVE-2025-41088

This repository contains a detailed proof-of-concept for CVE-2025-41088, a stored XSS vulnerability in Xibo CMS v4.1.2. The exploit demonstrates how an authenticated attacker can inject malicious scripts into templates, which execute when viewed by other users.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Xibo CMS v4.1.2
Auth required
Prerequisites: Authenticated access to Xibo CMS · Ability to create or edit templates
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v4 5.1
EPSS 0.0033
EPSS Percentile 24.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Xibo Signage/Xibo CMS < 4.2.2
Published Oct 10, 2025
Tracked Since Feb 18, 2026