CVE-2025-59901

HIGH

Disk Pulse Enterprise v10.4.18 - Authenticated XSS

Title source: llm

Description

Disk Pulse Enterprise v10.4.18 has an authenticated reflected XSS vulnerability in the '/monitor_directory?sid=' endpoint, caused by insufficient validation of the 'monitor_directory' parameter sent by POST. An attacker could exploit this weakness to send malicious content to an authenticated user and steal information from their session.

References (1)

Core 1

Core References

Third Party Advisory

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products

Scores

CVSS v4 8.5

EPSS 0.0019

EPSS Percentile 8.8%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-352

Status published

Products (2)

Flexense/Disk Pulse Enterprise v10.4.18

Flexense/Sync Breeze Enterprise Server v10.4.18

Published Jan 28, 2026

Tracked Since Feb 18, 2026