Description
A reflected cross-site scripted (XSS) vulnerability in the /jsp/gsfr_feditorHTML.jsp endpoint of Zucchetti ZMaintenance Infinity and Infinity Zucchetti v4.1 and earlier allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into the pHtmlSource parameter. A vendor fix was released on 2025-06-18.
References (2)
Core 2
Core References
Third Party Advisory
https://gist.github.com/alex-xor/8651dbdd413e4fa7240b0ab1b1845d76
Product
https://www.zucchetti.it/
Scores
CVSS v3
6.1
EPSS
0.0016
EPSS Percentile
6.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
zucchetti/infinity_zmaintenance
< 4.1
zucchetti/infinity_zucchetti
< 4.1
Published
Nov 04, 2025
Tracked Since
Feb 18, 2026