CVE-2025-69606

MEDIUM

GSVoIP 2.0.90 - Cross-Site Scripting via msg Parameter in /painel/gateways.php/error Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-69606. PoCs published by Razielx64.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2025-69606, a reflected XSS vulnerability in GSVoIP Web Panel v2.0.90. It includes the vulnerable endpoint, payload, attack scenario, and mitigation recommendations.

Description

Cross-Site Scripting (XSS) vulnerability was discovered in the GSVoIP web panel version 2.0.90. The `msg` parameter in the `/painel/gateways.php/error` endpoint does not properly sanitize user-supplied input, allowing attackers to inject arbitrary JavaScript into the HTML response. A remote attacker can exploit this vulnerability by sending a crafted URL to a victim, leading to unauthorized script execution, session hijacking, phishing, or other client-side attacks.

Exploits (1)

github WRITEUP
by Razielx64 · poc
https://github.com/Razielx64/CVE-2025-69606-GSVoIP-XSS

The repository provides a detailed technical analysis of CVE-2025-69606, a reflected XSS vulnerability in GSVoIP Web Panel v2.0.90. It includes the vulnerable endpoint, payload, attack scenario, and mitigation recommendations.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: GSVoIP Web Panel v2.0.90
No auth needed
Prerequisites: Victim interaction (clicking a malicious link)
devstral-2 · analyzed May 02, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 6.1
EPSS 0.0035
EPSS Percentile 27.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Published May 01, 2026
Tracked Since May 02, 2026