CVE-2025-65592
MEDIUMnopCommerce 4.90.0 - Stored Cross-Site Scripting in Product Management Fields
Title source: llmDescription
nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the "Product Name" and "Short Description" fields are stored in the backend database and executed automatically whenever a user views the affected pages.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory
https://seclists.org/fulldisclosure/2025/Dec/19
Product
https://www.nopcommerce.com/
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2025/Dec/19
Scores
CVSS v3
6.1
EPSS
0.0022
EPSS Percentile
12.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
nopcommerce/nopcommerce
4.90.0
Published
Dec 16, 2025
Tracked Since
Feb 18, 2026