CVE-2025-26514

{"id": "CVE-2025-26514", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-alert@netapp.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 1.6}]}, "published": "2025-09-19T19:15:38.367", "references": [{"url": "https://security.netapp.com/advisory/NTAP-20250910-0001", "tags": ["Vendor Advisory"], "source": "security-alert@netapp.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-alert@netapp.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "StorageGRID (formerly \nStorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are \nsusceptible to a Reflected Cross-Site Scripting vulnerability. \nSuccessful exploit could allow an attacker to view or modify \nconfiguration settings or add or modify user accounts but requires the \nattacker to know specific information about the target instance and then\n trick a privileged user into clicking a specially crafted link."}], "lastModified": "2025-09-23T14:32:00.057", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netapp:storagegrid:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52CC3E7A-9725-45F5-805E-9E135B8E69E8", "versionEndExcluding": "11.8.0.15"}, {"criteria": "cpe:2.3:a:netapp:storagegrid:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AF444D2C-DE7F-424A-B735-5697CD129016", "versionEndExcluding": "11.9.0.8", "versionStartIncluding": "11.9.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-alert@netapp.com"}