CVE-2025-51488

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-51488
A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.4, allowing remote attackers to store and execute arbitrary JavaScript by including a malicious HTML payload in the Name parameter when creating a new Admin.

4.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/GiacoLenzo2109/MoonShine_Software_PoCs
https://github.com/moonshine-software/moonshine
Configurations

No configuration.

History

20 Aug 2025, 19:15

Type Values Removed Values Added
Summary (en) A stored cross-site scripting (XSS) vulnerability in the Create Admin function of MoonShine v3.12.3 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter. (en) A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.4, allowing remote attackers to store and execute arbitrary JavaScript by including a malicious HTML payload in the Name parameter when creating a new Admin.

20 Aug 2025, 14:40

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad de cross site scripting (XSS) almacenado en la función Crear administrador de MoonShine v3.12.3 permite a los atacantes ejecutar scripts web o HTML arbitrarios mediante la inyección de un payload manipulado en el parámetro Nombre.

19 Aug 2025, 19:15

Type Values Removed Values Added
CWE CWE-79
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.9

19 Aug 2025, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-19 15:15

Updated : 2025-08-20 19:15

NVD link : CVE-2025-51488

Mitre link : CVE-2025-51488

CVE.ORG link : CVE-2025-51488

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')