CVE-2025-46545
MEDIUMSherpa Orchestrator 141851 - Stored Cross-Site Scripting via License Name Parameter
Title source: llmDescription
In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires.
References (4)
Core 4
Core References
Not Applicable
https://deiteriy.com
Third Party Advisory
https://gist.github.com/ArtemBrylev/5a0c76285d5fa9daf4ec753034185de7
Product
https://sherparpa.com
Not Applicable
https://twitter.com/ArtyomBrylev
Scores
CVSS v3
4.4
EPSS
0.0024
EPSS Percentile
14.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
sherparpa/sherpa_orchestrator
141851
Published
Apr 25, 2025
Tracked Since
Feb 18, 2026