Cross-Site Scripting Vulnerability in QGIS QWC2 by QGIS
CVE-2025-11183

6.9MEDIUM

Key Information:

Vendor: Qgis
Status: Qwc2
Vendor: CVE Published:; 13 October 2025

What is CVE-2025-11183?

A Cross-Site Scripting (XSS) vulnerability has been identified in the attribute table of QGIS QWC2 prior to version 2025.08.14. This issue allows an authorized attacker to inject arbitrary JavaScript code into the page, potentially compromising user data and web application integrity. It is crucial for users of QGIS QWC2 to update to the latest version to mitigate this risk and safeguard their applications against such attacks.

Affected Version(s)

QWC2 0 < 2025.08.14

QWC2 2025.08.14

References

https://hub.ntc.swiss/ntcf-2025-4286

technical-description

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 13, 2025
Vulnerability Reserved
Sep 30, 2025

Credit

Swiss National Test Institute for Cybersecurity NTC

Swiss National Cybersecurity Centre

Sandro Mani

JSON