Cross-Site Scripting Vulnerability in AVEVA Application Server
CVE-2025-8386

7.2HIGH

Key Information:

Vendor: Aveva
Status: Application Server
Vendor: CVE Published:; 14 November 2025

What is CVE-2025-8386?

This security flaw in AVEVA Application Server allows an authenticated user with specific privileges to manipulate help files associated with App Objects. If successfully exploited, the vulnerability can lead to cross-site scripting (XSS), enabling an attacker to execute malicious scripts in a victim's browser. The risk of exploitation is particularly high during configuration operations within the Integrated Development Environment (IDE) component; however, the runtime components remain unaffected. The consequences can include unauthorized privilege escalation for the attacker, as the malicious scripts can execute actions on behalf of the victim.

Affected Version(s)

Application Server 0

References

https://www.aveva.com/content/dam/aveva/documents/support...

https://www.cisa.gov/news-events/ics-advisories/icsa-25-3...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 14, 2025
Vulnerability Reserved
Jul 30, 2025

Credit

AVEVA reported this vulnerability to CISA.

CVE-2025-8386 Data

JSON

Aveva