CVE-2025-11687

EUVD-2025-206336
A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS).
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
redhatCNA
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Debian logo
Debian Releases
Debian Product
Codename
gi-docgen
bookworm
no-dsa
forky
2026.1-1
fixed
sid
2026.1-1
fixed
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gi-docgen
jammy
needs-triage
noble
needs-triage
plucky
ignored
questing
needs-triage
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2025-11687
https://bugzilla.redhat.com/show_bug.cgi?id=2403536
https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228