CVE-2025-70336

MEDIUM

PodcastGenerator 3.2.9 - Stored Cross-Site Scripting via Live Item Title and Description Parameters

Title source: llm

Description

A Stored cross-site scripting (XSS) vulnerability in 'Create New Live Item' in PodcastGenerator 3.2.9 allows remote attackers to inject arbitrary script or HTML via the 'TITLE', 'SHORT DESCRIPTION' and 'LONG DESCRIPTION' parameters. The saved payload gets executed on 'View All Live Items' and 'Live Stream' pages.

References (2)

Core 2

Core References

Product

https://github.com/PodcastGenerator/PodcastGenerator

View Writeup ZIP pw:eip

Third Party Advisory

https://github.com/aryasahil96-manu/CVE-Disclosures/blob/main/CVE-2025-70336

View Writeup ZIP pw:eip

Scores

CVSS v3 4.8

EPSS 0.0018

EPSS Percentile 7.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

podcastgenerator/podcast_generator 3.2.9

Published Jan 28, 2026

Tracked Since Feb 18, 2026