CVE-2025-51489
EUVD-2025-2518019.08.2025, 15:15
A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.5, allowing remote attackers to upload a malicious SVG file when creating/updating an Article and correctly execute arbitrary JavaScript when the file link is opened.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| moonshine | moonshine | 𝑥 < 3.12.5 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- CWE-434 - Unrestricted Upload of File with Dangerous TypeThe software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.