CVE-2025-46545

MEDIUM

Sherpa Orchestrator 141851 - Stored Cross-Site Scripting via License Name Parameter

Title source: llm
STIX 2.1

Description

In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires.

References (4)

Core 4

Scores

CVSS v3 4.4
EPSS 0.0024
EPSS Percentile 14.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
sherparpa/sherpa_orchestrator 141851
Published Apr 25, 2025
Tracked Since Feb 18, 2026