CVE-2025-52036

MEDIUM EPSS 9.2%
Published Aug 26, 202510mo ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Aug 26, 2025 10mo ago
Last Modified Jun 17, 2026 2w ago

Description

A vulnerability has been found in NotesCMS and classified as medium. Affected by this vulnerability is the page /index.php?route=categories. The manipulation of the title of the service descriptions leads to a stored XSS vulnerability. The issue was confirmed to be present in the source code as of commit 7d821a0f028b0778b245b99ab3d3bff1ac10e2d3 (dated 2024-05-08), and was fixed in commit 95322c5121dbd7070f3bd54f2848079654a0a8ea (dated 2025-03-31). The attack can be launched remotely. CWE Definition of the Vulnerability: CWE-79.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
9.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
exe-systemnotescms*≥2024-05-08  –  <2025-03-31

References 2

  • gist.github.com https://gist.github.com/yA0-Z/aeea5af372fec0085c6a4a7bb9c6bc8e
    Third Party Advisory
  • github.com https://github.com/PrivateAccount/NotesCMS/issues/1
    ExploitIssue TrackingPatch

Remediation

  • github.com https://github.com/PrivateAccount/NotesCMS/issues/1
    ExploitIssue TrackingPatch