CVE-2025-65572

MEDIUM

AllskyTeam AllSky 2024.12.06_06 - Stored Cross-Site Scripting via config, filename, or extratext Parameter

Title source: llm

Description

Cross Site Scripting (XSS) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to execute arbitrary code via the (1) config, (2) filename, or (3) extratext parameter to allskySettings.php. When the page is reloaded or when user visits allskySettings.php, the showMessages() function in status_messages.php will print out the error messages and execute the script injected by the attacker.

References (4)

Core 4

Core References

Exploit, Third Party Advisory

https://gh0stmezh.wordpress.com/2025/12/04/cve-2025-65572/

Product

https://github.com/AllskyTeam/allsky

Product

https://github.com/AllskyTeam/allsky/blob/master/html/includes/allskySettings.php

Product

https://github.com/AllskyTeam/allsky/blob/master/html/includes/status_messages.php

Scores

CVSS v3 6.1

EPSS 0.0034

EPSS Percentile 26.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

allskyteam/allsky 2024.12.06_06

Published Dec 09, 2025

Tracked Since Feb 18, 2026