CVE-2025-41228
MEDIUMVMware ESXi - XSS
Title source: llmDescription
VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability due to improper input validation. A malicious actor with network access to the login page of certain ESXi host or vCenter Server URL paths may exploit this issue to steal cookies or redirect to malicious websites.
Exploits (1)
exploitdb
WRITEUP
by Imraan Khan (Lich-Sec) · textwebappsmultiple
https://www.exploit-db.com/exploits/52406
Scores
CVSS v3
4.3
EPSS
0.0601
EPSS Percentile
90.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Details
CWE
CWE-79
Status
published
Products (6)
VMware/Cloud Foundation
5.x, 4.5.x
VMware/ESXi
7.0 - ESXi70U3sv-24723868
VMware/ESXi
8.0 - ESXi80U3se-24659227
VMware/Telco Cloud Infrastructure
3.x,2.x
VMware/Telco Cloud Platform
5.x, 4.x, 3.x, 2.x
VMware/vCenter Server
8.0 - 8.0 U3e
Published
May 20, 2025
Tracked Since
Feb 18, 2026