CVE-2025-65187
MEDIUMCiviCRM < 6.7.0 - Authenticated Stored Cross-Site Scripting in Accounting Batches Field
Title source: llmDescription
A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed.
References (2)
Core 2
Core References
Product
https://civicrm.com/
Exploit, Third Party Advisory
https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65187.pdf
Scores
CVSS v3
6.1
EPSS
0.0018
EPSS Percentile
8.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
civicrm/civicrm
< 6.7.0
Published
Dec 02, 2025
Tracked Since
Feb 18, 2026