Reflected Cross-Site Scripting Vulnerability in Xibo CMS by Xibo Signage
CVE-2025-41089

4.8MEDIUM

Key Information:

Vendor: Xibo Signage
Status: Xibo Cms
Vendor: CVE Published:; 10 October 2025

🔔 Create Xibo Signage Vulnerability Alert

What is CVE-2025-41089?

A reflected cross-site scripting (XSS) vulnerability exists in Xibo CMS v4.1.2, allowing attackers to manipulate user input without proper validation. By creating a template in the 'Templates' section and adjusting the 'Configuration Name' field in elements like the 'Clock' widget, an attacker can execute malicious scripts in the context of a user's session. This can lead to unauthorized actions and data exposure, making it crucial for users to apply mitigations provided by the vendor.

Affected Version(s)

Xibo CMS 0 < 4.2.2

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 10, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Marina Fabregat Expósito

JSON