CVE-2025-65572

MEDIUM

Allsky - XSS

Title source: rule

Description

Cross Site Scripting (XSS) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to execute arbitrary code via the (1) config, (2) filename, or (3) extratext parameter to allskySettings.php. When the page is reloaded or when user visits allskySettings.php, the showMessages() function in status_messages.php will print out the error messages and execute the script injected by the attacker.

References (4)

[Exploit, Third Party Advisory] https://gh0stmezh.wordpress.com/2025/12/04/cve-2025-65572/

[Product] https://github.com/AllskyTeam/allsky

[Product] https://github.com/AllskyTeam/allsky/blob/master/html/includes/allskySettings.php

[Product] https://github.com/AllskyTeam/allsky/blob/master/html/includes/status_messages.php

Scores

CVSS v3 6.1

EPSS 0.0013

EPSS Percentile 31.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

allskyteam/allsky 2024.12.06_06

Published Dec 09, 2025

Tracked Since Feb 18, 2026