CVE-2025-42620
CSRF vulnerability in CIRCL Vulnerability-Lookup
Description
In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS). On the backend, the related_vulnerabilities field of bundles accepted arbitrary strings without format validation or proper sanitization. On the frontend, comment and bundle descriptions were converted from Markdown to HTML and then injected directly into the DOM using string templates and innerHTML. This combination allowed an attacker who could create or edit comments or bundles to store crafted HTML/JavaScript payloads which would later be rendered and executed in the browser of any user visiting the affected profile page (user.html). This issue affects Vulnerability-Lookup: before 2.18.0.
INFO
Published Date :
Dec. 8, 2025, 12:15 p.m.
Last Modified :
Dec. 8, 2025, 12:15 p.m.
Remotely Exploit :
Yes !
Source :
ENISA
Affected Products
The following products are affected by CVE-2025-42620
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 4.0 | HIGH | a6d3dc9e-0591-4a13-bce7-0f5b31ff6158 |
Solution
- Update Vulnerability-Lookup to version 2.18.0 or later.
- Sanitize user input before processing.
- Validate data before rendering.
- Avoid direct DOM injection.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-42620 vulnerability anywhere in the article.