CVE-2025-50985

MEDIUM

diskover-web v2.3.0 Community Edition - Reflected Cross-Site Scripting via Unsanitized GET Parameters

Title source: llm
STIX 2.1

Description

diskover-web v2.3.0 Community Edition is vulnerable to multiple reflected cross-site scripting (XSS) flaws in its web interface. Unsanitized GET parameters including maxage, maxindex, index, path, q (query), and doctype are directly echoed into the HTML response, allowing attackers to inject and execute arbitrary JavaScript when a victim visits a maliciously crafted URL.

Scores

CVSS v3 5.6
EPSS 0.0022
EPSS Percentile 13.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
diskoverdata/diskover 2.3.0
Published Aug 27, 2025
Tracked Since Feb 18, 2026