Stored Cross Site Scripting Vulnerability in ShineLan-X by ShineLan
CVE-2025-36750

8.5HIGH

Key Information:

Vendor: Growatt
Status: Shinelan-x
Vendor: CVE Published:; 13 December 2025

What is CVE-2025-36750?

ShineLan-X presents a stored cross site scripting vulnerability in the Plant Name field. This flaw allows an attacker to inject a malicious HTML payload, which will then be displayed on the plant management page. Consequently, when a legitimate user visits this page, their browser's JavaScript engine may execute the attacker's code, potentially leading to unauthorized actions on behalf of the user.

Affected Version(s)

ShineLan-X 3.6.0.0 <= 3.6.0.2

References

https://csirt.divd.nl/CVE-2025-36750/

third-party-advisory

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Hamid Rahmouni

Victor Pasman

JSON

Growatt

What is CVE-2025-36750?

Affected Version(s)

References

CVSS V4

Timeline

Credit