Stored Cross Site Scripting Vulnerability in ShineLan-X by ShineLan
CVE-2025-36748

8.4HIGH

Key Information:

Vendor: Growatt
Status: Shinelan-x
Vendor: CVE Published:; 13 December 2025

What is CVE-2025-36748?

ShineLan-X is vulnerable to a stored cross site scripting (XSS) attack through its local configuration web server. Attackers can exploit this vulnerability by injecting a malicious JavaScript code snippet into the communication module’s settings center. When executed, this code can compromise a legitimate user's browser, allowing unauthorized manipulation and access to sensitive information. It is crucial for users of ShineLan-X to update to the latest version to safeguard against potential exploits.

Affected Version(s)

ShineLan-X 3.6.0.0 <= 3.6.0.2

References

https://csirt.divd.nl/CVE-2025-36748/

third-party-advisory

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Hamid Rahmouni

Victor Pasman

JSON

Growatt

What is CVE-2025-36748?

Affected Version(s)

References

CVSS V4

Timeline

Credit