Cross-Site Scripting Vulnerability in CISA Software Acquisition Guide Supplier Response Web Tool
CVE-2025-67634

4.6MEDIUM

Key Information:

Vendor: Cisa
Status: Software Acquisition Guide Tool
Vendor: CVE Published:; 12 December 2025

What is CVE-2025-67634?

The CISA Software Acquisition Guide Supplier Response Web Tool prior to December 11, 2025, is susceptible to cross-site scripting attacks via improperly handled text fields. Attackers can exploit this vulnerability by persuading users to import a crafted JSON file containing malicious JavaScript. When users interact with the tool and submit their data, the JavaScript code is executed within their browser context, potentially leading to unauthorized actions or data exposure.

Affected Version(s)

Software Acquisition Guide Tool 0 < 2025-12-11

Software Acquisition Guide Tool 2025-12-11

References

https://www.cisa.gov/software-acquisition-guide/tool

product

https://raw.githubusercontent.com/cisagov/CSAF/develop/cs...

government-resourcethird-party-advisory

https://www.cve.org/CVERecord?id=CVE-2025-67634

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2025
Vulnerability Reserved
Dec 9, 2025

Credit

Jeff Williams, Contrast Security

CVE-2025-67634 Data

JSON