CVE-2025-42620

08.12.2025, 13:15

In affected versions, vulnerability-lookup handled user-controlled
content in comments and bundles in an unsafe way, which could lead to
stored Cross-Site Scripting (XSS).

On the backend, the related_vulnerabilities field of bundles accepted
arbitrary strings without format validation or proper sanitization. On
the frontend, comment and bundle descriptions were converted from
Markdown to HTML and then injected directly into the DOM using string
templates and innerHTML. This combination allowed an attacker who could
create or edit comments or bundles to store crafted HTML/JavaScript
payloads which would later be rendered and executed in the browser of
any user visiting the affected profile page (user.html).

This issue affects Vulnerability-Lookup: before 2.18.0.

Cross-site Scripting

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
ENISA	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://vulnerability.circl.lu/vuln/gcve-1-2025-0035