CVE-2025-62613
MEDIUM NUCLEIvdo.ninja 28.0-28.4 - Reflected Cross-Site Scripting via Room Parameter
Title source: llmExploitation Summary
CVE-2025-62613 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
VDO.Ninja is a tool that brings remote video feeds into OBS or other studio software via WebRTC. From versions 28.0 to before 28.4, a reflected Cross-Site Scripting (XSS) vulnerability exists on examples/control.html through the room parameter, which is improperly sanitized before being rendered in the DOM. The application fails to validate and encode user input, allowing malicious scripts to be injected and executed. This issue has been patched in version 28.4.
Nuclei Templates (1)
VDO.Ninja - DOM-Based Cross-Site Scripting
MEDIUMVERIFIEDby 0x_Akoko
FOFA:
body="vdo.ninja"
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/steveseguin/vdo.ninja/security/advisories/GHSA-mp9c-cpch-x73c
Patch x_refsource_misc
https://github.com/steveseguin/vdo.ninja/commit/83c0ac753ad60c7a086daced3244688cabd4f6b8
Release Notes x_refsource_misc
https://github.com/steveseguin/vdo.ninja/releases/tag/v28.4
Scores
CVSS v4
6.9
EPSS
0.0194
EPSS Percentile
83.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
steveseguin/vdo.ninja
>= 28.0, < 28.4
Published
Oct 22, 2025
Tracked Since
Feb 18, 2026