CVE-2025-65442

EIP tracks 1 public exploit for CVE-2025-65442. PoCs published by zero-day348.

AI-analyzed exploit summary This repository contains a detailed writeup of a DOM-based XSS vulnerability (CVE-2025-65442) in the novel V3.5.0 platform. The vulnerability arises from inadequate validation of user-submitted comments, which are stored and rendered unsanitized via Vue 3's v-html directive.

DOM-based Cross-Site Scripting (XSS) vulnerability in 201206030 novel V3.5.0 allows remote attackers to execute arbitrary JavaScript code or disclose sensitive information (e.g., user session cookies) via a crafted "wvstest" parameter in the URL or malicious script injection into window.localStorage. The vulnerability arises from insufficient validation and encoding of user-controllable data in the book comment module: unfiltered user input is stored in the backend database (book_comment table, commentContent field) and returned via API, then rendered directly into the page DOM via Vue 3's v-html directive without sanitization. Even if modern browsers' built-in XSS filters block pop-up alerts, attackers can use concealed payloads to bypass interception and achieve actual harm.