Cross-Site Scripting Vulnerability in ExpressGateway by FreshFish
CVE-2025-9096

3.5LOW

Key Information:

Vendor: FreshFish
Status: ExpressGateway
Vendor: CVE Published:; 18 August 2025

What is CVE-2025-9096?

A cross-site scripting vulnerability exists in the ExpressGateway up to version 1.16.10, specifically within the REST Endpoint component found in the lib/rest/routes/apps.js file. This flaw allows attackers to manipulate input, potentially leading to unauthorized script execution in users' browsers. Exploitation can occur remotely, raising significant security concerns for deployments utilizing affected versions of the software. The issue was disclosed publicly, and while the vendor was notified, no response has been recorded. Organizations using ExpressGateway should assess their systems and update to the latest version to mitigate potential risks.

References

https://github.com/freshfish-hust/my-cves/issues/6

https://github.com/freshfish-hust/my-cves/issues/6#issue-...

https://vuldb.com/?ctiid.320418

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 18, 2025