CVE-2025-65572

6.1 MEDIUM
Published: December 09, 2025 Modified: December 16, 2025
View on NVD

Description

Cross Site Scripting (XSS) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to execute arbitrary code via the (1) config, (2) filename, or (3) extratext parameter to allskySettings.php. When the page is reloaded or when user visits allskySettings.php, the showMessages() function in status_messages.php will print out the error messages and execute the script injected by the attacker.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://gh0stmezh.wordpress.com/2025/12/04/cve-2025-65572/
Source: cve@mitre.org
Exploit Third Party Advisory
https://github.com/AllskyTeam/allsky
Source: cve@mitre.org
Product
https://github.com/AllskyTeam/allsky/blob/master/html/includes/allskySettings.php
Source: cve@mitre.org
Product
https://github.com/AllskyTeam/allsky/blob/master/html/includes/status_messages.php
Source: cve@mitre.org
Product

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.1 / 10.0
EPSS (Exploit Probability)
0.1%
23th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79

Affected Vendors

allskyteam

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3