Cross-Site Scripting Vulnerability in LB-Link Router Web Interface
CVE-2025-51569

6.1MEDIUM

Key Information:

Vendor: LB-Link
Status: BL-CPE300M
Vendor: CVE Published:; 31 July 2025

What is CVE-2025-51569?

An XSS vulnerability has been identified in the web interface of the LB-Link BL-CPE300M router, specifically affecting version 01.01.02P42U14_06. The vulnerability arises from the failure of the /goform/goform_get_cmd_process endpoint to properly sanitize user inputs. As a result, unauthenticated attackers can inject malicious JavaScript into the router's response, allowing execution within the context of the router when a specific crafted URL is accessed. Exploitation of this vulnerability necessitates user interaction, posing risks to the security of user sessions and data integrity. It is crucial for users to implement the recommended updates to mitigate this issue.

References

https://www.lb-link.com/CPE300M-AX300-4G-LTE-Router-pd502...

https://www.zyenra.com/blog/xss-in-lb-link-lb-cpe300m.html

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 31, 2025
Vulnerability Reserved
Jun 16, 2025