Cross-Site Scripting Vulnerability in Report Builder Component of WebConsole by Commvault
CVE-2025-12776

1.8LOW

Key Information:

Vendor: Commvault
Status: Webconsole
Vendor: CVE Published:; 7 January 2026

What is CVE-2025-12776?

The Report Builder component of the WebConsole from Commvault is vulnerable to a Cross-Site Scripting (XSS) attack due to improper handling of user input. This weakness allows malicious scripts to be injected and run when reports are modified by users with edit permissions. Although the scripts are not executed in reports viewed by end users, the risk remains significant for systems still utilizing the WebConsole, which is now end of life and no longer maintained. It is crucial to avoid deploying this package in production environments unless in a fully isolated network, as it may contain unpatched security flaws that could compromise sensitive data.

Affected Version(s)

WebConsole 11.32.0 <= 11.32.*

WebConsole 11.36.0 <= 11.36.*

WebConsole 11.40.1

References

https://documentation.commvault.com/securityadvisories/CV...

CVSS V4

Score:

1.8

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Jan 7, 2026
Vulnerability Reserved
Nov 5, 2025

Credit

NCIA researchers

JSON