Reflected Cross-Site Scripting Vulnerability in Xibo CMS by Xibo Signage
CVE-2025-41089

4.8MEDIUM

Key Information:

Vendor

Xibo Signage

Status
Xibo Cms
Vendor
CVE Published:
10 October 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-41089?

A reflected cross-site scripting (XSS) vulnerability exists in Xibo CMS v4.1.2, allowing attackers to manipulate user input without proper validation. By creating a template in the 'Templates' section and adjusting the 'Configuration Name' field in elements like the 'Clock' widget, an attacker can execute malicious scripts in the context of a user's session. This can lead to unauthorized actions and data exposure, making it crucial for users to apply mitigations provided by the vendor.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Xibo CMS 0 < 4.2.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-41089
Created by Marinafabregat

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Marina Fabregat Expósito
JSON
.