CVE-2025-40633

A Stored Cross-Site Scripting (XSS) vulnerability has been found in 
Koibox for versions prior to e8cbce2. This vulnerability allows an 
authenticated attacker to upload an image containing malicious 
JavaScript code as profile picture in the 
'/es/dashboard/clientes/ficha/' endpoint
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
INCIBECNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 16%
Common Weakness Enumeration
References
https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-koibox