CVE-2025-65540

MEDIUM

xmall v1.1 - Stored Cross-Site Scripting via Username and Description Fields

Title source: llm
STIX 2.1

Description

Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. User input fields such as username and description are directly rendered into HTML without proper sanitization or encoding, allowing attackers to inject and execute malicious scripts.

References (1)

Core 1
Core References
Exploit, Third Party Advisory, Issue Tracking
https://github.com/Exrick/xmall/issues/101

Scores

CVSS v3 6.1
EPSS 0.0016
EPSS Percentile 5.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
exrick/xmall 1.1
Published Nov 29, 2025
Tracked Since Feb 18, 2026