CVE-2025-59901

Disk Pulse Enterprise v10.4.18 - Authenticated XSS

Title source: llm

Description

Disk Pulse Enterprise v10.4.18 has an authenticated reflected XSS vulnerability in the '/monitor_directory?sid=' endpoint, caused by insufficient validation of the 'monitor_directory' parameter sent by POST. An attacker could exploit this weakness to send malicious content to an authenticated user and steal information from their session.

References (1)

[Third Party Advisory] https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products

Scores

EPSS 0.0002

EPSS Percentile 6.3%

Classification

CWE

CWE-352

Status draft

Timeline

Published Jan 28, 2026

Tracked Since Feb 18, 2026