Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    20 vulnerabilities found for Vulnerability-Lookup by CIRCL

    CVE-2025-42620 (GCVE-0-2025-42620)

    Vulnerability from nvd – Published: 2025-12-08 12:15 – Updated: 2025-12-08 12:27
    VLAI
    Title
    CSRF vulnerability in CIRCL Vulnerability-Lookup
    Summary
    In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS). On the backend, the related_vulnerabilities field of bundles accepted arbitrary strings without format validation or proper sanitization. On the frontend, comment and bundle descriptions were converted from Markdown to HTML and then injected directly into the DOM using string templates and innerHTML. This combination allowed an attacker who could create or edit comments or bundles to store crafted HTML/JavaScript payloads which would later be rendered and executed in the browser of any user visiting the affected profile page (user.html).  This issue affects Vulnerability-Lookup: before 2.18.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    CIRCL Vulnerability-Lookup Affected: 0 , < 2.18.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-42620",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-08T12:27:00.493206Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-08T12:27:15.797Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Vulnerability-Lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "lessThan": "2.18.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\n\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\nIn affected versions, vulnerability-lookup handled user-controlled \ncontent in comments and bundles in an unsafe way, which could lead to \nstored Cross-Site Scripting (XSS).\n\n\n\n\nOn the backend, the related_vulnerabilities field of bundles accepted \narbitrary strings without format validation or proper sanitization. On \nthe frontend, comment and bundle descriptions were converted from \nMarkdown to HTML and then injected directly into the DOM using string \ntemplates and innerHTML. This combination allowed an attacker who could \ncreate or edit comments or bundles to store crafted HTML/JavaScript \npayloads which would later be rendered and executed in the browser of \nany user visiting the affected profile page (user.html).\u0026nbsp;\u003c/div\u003e\n\n\u003c/div\u003e\n\n\u003cp\u003eThis issue affects Vulnerability-Lookup: before 2.18.0.\u003c/p\u003e"
                }
              ],
              "value": "In affected versions, vulnerability-lookup handled user-controlled \ncontent in comments and bundles in an unsafe way, which could lead to \nstored Cross-Site Scripting (XSS).\n\n\n\n\nOn the backend, the related_vulnerabilities field of bundles accepted \narbitrary strings without format validation or proper sanitization. On \nthe frontend, comment and bundle descriptions were converted from \nMarkdown to HTML and then injected directly into the DOM using string \ntemplates and innerHTML. This combination allowed an attacker who could \ncreate or edit comments or bundles to store crafted HTML/JavaScript \npayloads which would later be rendered and executed in the browser of \nany user visiting the affected profile page (user.html).\u00a0\n\n\n\n\n\n\n\nThis issue affects Vulnerability-Lookup: before 2.18.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-08T12:15:15.950Z",
            "orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
            "shortName": "ENISA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://vulnerability.circl.lu/vuln/gcve-1-2025-0035"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CSRF vulnerability in CIRCL Vulnerability-Lookup",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
        "assignerShortName": "ENISA",
        "cveId": "CVE-2025-42620",
        "datePublished": "2025-12-08T12:15:15.950Z",
        "dateReserved": "2025-04-16T12:34:02.867Z",
        "dateUpdated": "2025-12-08T12:27:15.797Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-42616 (GCVE-0-2025-42616)

    Vulnerability from nvd – Published: 2025-12-08 12:09 – Updated: 2025-12-08 14:46
    VLAI
    Title
    CSRF vulnerability in CIRCL Vulnerability-Lookup
    Summary
    Some endpoints in vulnerability-lookup that modified application state (e.g. changing database entries, user data, configurations, or other privileged actions) may have been accessible via HTTP GET requests without requiring a CSRF token. This flaw leaves the application vulnerable to Cross-Site Request Forgery (CSRF) attacks: an attacker who tricks a logged-in user into visiting a malicious website could cause the user’s browser to issue GET requests that perform unintended state-changing operations in the context of their authenticated session. Because the server would treat these GET requests as valid (since no CSRF protection or POST method enforcement was in place), the attacker could exploit this to escalate privileges, change settings, or carry out other unauthorized actions without needing the user’s explicit consent or awareness.  The fix ensures that all state-changing endpoints now require HTTP POST requests and include a valid CSRF token. This enforces that state changes cannot be triggered by arbitrary cross-site GET requests. This issue affects Vulnerability-Lookup: before 2.18.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    CIRCL Vulnerability-Lookup Affected: 0 , < 2.18.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-42616",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-08T14:46:29.136113Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-08T14:46:41.970Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Vulnerability-Lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "lessThan": "2.18.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003eSome endpoints in vulnerability-lookup that modified \napplication state (e.g. changing database entries, user data, \nconfigurations, or other privileged actions) may have been accessible \nvia HTTP GET requests without requiring a CSRF token. This flaw leaves \nthe application vulnerable to Cross-Site Request Forgery (CSRF) attacks:\n an attacker who tricks a logged-in user into visiting a malicious \nwebsite could cause the user\u2019s browser to issue GET requests that \nperform unintended state-changing operations in the context of their \nauthenticated session.\n\n\nBecause the server would treat these GET requests as valid (since no \nCSRF protection or POST method enforcement was in place), the attacker \ncould exploit this to escalate privileges, change settings, or carry out\n other unauthorized actions without needing the user\u2019s explicit consent \nor awareness.\u0026nbsp;\u003cbr\u003eThe fix ensures that all state-changing endpoints now require HTTP POST \nrequests and include a valid CSRF token. This enforces that state \nchanges cannot be triggered by arbitrary cross-site GET requests.\u0026nbsp;This issue affects Vulnerability-Lookup: before 2.18.0.\u003c/div\u003e"
                }
              ],
              "value": "Some endpoints in vulnerability-lookup that modified \napplication state (e.g. changing database entries, user data, \nconfigurations, or other privileged actions) may have been accessible \nvia HTTP GET requests without requiring a CSRF token. This flaw leaves \nthe application vulnerable to Cross-Site Request Forgery (CSRF) attacks:\n an attacker who tricks a logged-in user into visiting a malicious \nwebsite could cause the user\u2019s browser to issue GET requests that \nperform unintended state-changing operations in the context of their \nauthenticated session.\n\n\nBecause the server would treat these GET requests as valid (since no \nCSRF protection or POST method enforcement was in place), the attacker \ncould exploit this to escalate privileges, change settings, or carry out\n other unauthorized actions without needing the user\u2019s explicit consent \nor awareness.\u00a0\nThe fix ensures that all state-changing endpoints now require HTTP POST \nrequests and include a valid CSRF token. This enforces that state \nchanges cannot be triggered by arbitrary cross-site GET requests.\u00a0This issue affects Vulnerability-Lookup: before 2.18.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-08T12:58:58.408Z",
            "orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
            "shortName": "ENISA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://vulnerability.circl.lu/vuln/gcve-1-2025-0034"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CSRF vulnerability in CIRCL Vulnerability-Lookup",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
        "assignerShortName": "ENISA",
        "cveId": "CVE-2025-42616",
        "datePublished": "2025-12-08T12:09:22.893Z",
        "dateReserved": "2025-04-16T12:34:02.866Z",
        "dateUpdated": "2025-12-08T14:46:41.970Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-42615 (GCVE-0-2025-42615)

    Vulnerability from nvd – Published: 2025-12-08 12:01 – Updated: 2025-12-08 20:10
    VLAI
    Title
    Improper Restriction of Excessive Authentication Attempts vulnerability in CIRCL Vulnerability-Lookup
    Summary
    In affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the account to be locked or generating any specific alert for administrators. This lack of rate-limiting and lockout on OTP failures significantly lowers the cost of online brute-force attacks against 2FA codes and increases the risk of successful account takeover, especially if OTP entropy is reduced (e.g. short numeric codes, user reuse, or predictable tokens). Additionally, administrators had no direct visibility into accounts experiencing repeated 2FA failures, making targeted attacks harder to detect and investigate. The patch introduces a persistent failed_otp_attempts counter on user accounts, locks the user after 5 invalid OTP submissions, resets the counter on successful verification, and surfaces failed 2FA attempts in the admin user list. This enforces an account lockout policy for OTP brute-force attempts and improves monitoring capabilities for suspicious 2FA activity.This issue affects Vulnerability-Lookup: before 2.18.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-307 - Improper Restriction of Excessive Authentication Attempts
    Assigner
    References
    Impacted products
    Vendor Product Version
    CIRCL Vulnerability-Lookup Affected: 0 , < 2.18.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-42615",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-08T16:58:48.964002Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-08T20:10:21.202Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Vulnerability-Lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "lessThan": "2.18.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In affected versions, vulnerability-lookup did not track or limit failed\n One-Time Password (OTP) attempts during Two-Factor Authentication (2FA)\n verification. An attacker who already knew or guessed a valid username \nand password could submit an arbitrary number of OTP codes without \ncausing the account to be locked or generating any specific alert for \nadministrators.\n\n\nThis lack of rate-limiting and lockout on OTP failures significantly \nlowers the cost of online brute-force attacks against 2FA codes and \nincreases the risk of successful account takeover, especially if OTP \nentropy is reduced (e.g. short numeric codes, user reuse, or predictable\n tokens). Additionally, administrators had no direct visibility into \naccounts experiencing repeated 2FA failures, making targeted attacks \nharder to detect and investigate.\n\n\nThe patch introduces a persistent failed_otp_attempts counter on user \naccounts, locks the user after 5 invalid OTP submissions, resets the \ncounter on successful verification, and surfaces failed 2FA attempts in \nthe admin user list. This enforces an account lockout policy for OTP \nbrute-force attempts and improves monitoring capabilities for suspicious\n 2FA activity.\u003cp\u003eThis issue affects Vulnerability-Lookup: before 2.18.0.\u003c/p\u003e"
                }
              ],
              "value": "In affected versions, vulnerability-lookup did not track or limit failed\n One-Time Password (OTP) attempts during Two-Factor Authentication (2FA)\n verification. An attacker who already knew or guessed a valid username \nand password could submit an arbitrary number of OTP codes without \ncausing the account to be locked or generating any specific alert for \nadministrators.\n\n\nThis lack of rate-limiting and lockout on OTP failures significantly \nlowers the cost of online brute-force attacks against 2FA codes and \nincreases the risk of successful account takeover, especially if OTP \nentropy is reduced (e.g. short numeric codes, user reuse, or predictable\n tokens). Additionally, administrators had no direct visibility into \naccounts experiencing repeated 2FA failures, making targeted attacks \nharder to detect and investigate.\n\n\nThe patch introduces a persistent failed_otp_attempts counter on user \naccounts, locks the user after 5 invalid OTP submissions, resets the \ncounter on successful verification, and surfaces failed 2FA attempts in \nthe admin user list. This enforces an account lockout policy for OTP \nbrute-force attempts and improves monitoring capabilities for suspicious\n 2FA activity.This issue affects Vulnerability-Lookup: before 2.18.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-307",
                  "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-08T12:01:05.831Z",
            "orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
            "shortName": "ENISA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://vulnerability.circl.lu/vuln/gcve-1-2025-0033"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Restriction of Excessive Authentication Attempts vulnerability in CIRCL Vulnerability-Lookup",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
        "assignerShortName": "ENISA",
        "cveId": "CVE-2025-42615",
        "datePublished": "2025-12-08T12:01:05.831Z",
        "dateReserved": "2025-04-16T12:34:02.866Z",
        "dateUpdated": "2025-12-08T20:10:21.202Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-60249 (GCVE-0-2025-60249)

    Vulnerability from nvd – Published: 2025-09-25 00:00 – Updated: 2025-09-26 17:44
    VLAI
    Summary
    vulnerability-lookup 2.16.0 allows XSS in bundle.py, comment.py, and user.py, by a user on a vulnerability-lookup instance who can add bundles, comments, or sightings. A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Bundles, Comments, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and improving input validation in the affected models.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    CIRCL vulnerability-lookup Affected: 2.16.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-60249",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-26T17:43:48.433562Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-26T17:44:06.988Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "vulnerability-lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.16.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vulnerability-lookup 2.16.0 allows XSS in bundle.py, comment.py, and user.py, by a user on a vulnerability-lookup instance who can add bundles, comments, or sightings. A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Bundles, Comments, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and improving input validation in the affected models."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-25T17:14:03.641Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/afa12347f1461d9481eba75ac19897e80a9c7434"
            }
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-60249",
        "datePublished": "2025-09-25T00:00:00.000Z",
        "dateReserved": "2025-09-25T00:00:00.000Z",
        "dateUpdated": "2025-09-26T17:44:06.988Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-32413 (GCVE-0-2025-32413)

    Vulnerability from nvd – Published: 2025-04-08 00:00 – Updated: 2025-04-08 14:52
    VLAI
    Summary
    Vulnerability-Lookup before 2.7.1 allows stored XSS via a user bio in website/web/views/user.py.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    CIRCL Vulnerability-Lookup Affected: 0 , < 2.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32413",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-08T14:28:55.601560Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-08T14:52:10.347Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Vulnerability-Lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "lessThan": "2.7.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vulnerability-Lookup before 2.7.1 allows stored XSS via a user bio in website/web/views/user.py."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-08T02:27:52.326Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/0a120af1de4a0a13bc2e2000f3c4639291122ba0"
            },
            {
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/compare/v2.7.0...v2.7.1"
            }
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-32413",
        "datePublished": "2025-04-08T00:00:00.000Z",
        "dateReserved": "2025-04-08T00:00:00.000Z",
        "dateUpdated": "2025-04-08T14:52:10.347Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-42620 (GCVE-0-2025-42620)

    Vulnerability from cvelistv5 – Published: 2025-12-08 12:15 – Updated: 2025-12-08 12:27
    VLAI
    Title
    CSRF vulnerability in CIRCL Vulnerability-Lookup
    Summary
    In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS). On the backend, the related_vulnerabilities field of bundles accepted arbitrary strings without format validation or proper sanitization. On the frontend, comment and bundle descriptions were converted from Markdown to HTML and then injected directly into the DOM using string templates and innerHTML. This combination allowed an attacker who could create or edit comments or bundles to store crafted HTML/JavaScript payloads which would later be rendered and executed in the browser of any user visiting the affected profile page (user.html).  This issue affects Vulnerability-Lookup: before 2.18.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    CIRCL Vulnerability-Lookup Affected: 0 , < 2.18.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-42620",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-08T12:27:00.493206Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-08T12:27:15.797Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Vulnerability-Lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "lessThan": "2.18.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\n\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\nIn affected versions, vulnerability-lookup handled user-controlled \ncontent in comments and bundles in an unsafe way, which could lead to \nstored Cross-Site Scripting (XSS).\n\n\n\n\nOn the backend, the related_vulnerabilities field of bundles accepted \narbitrary strings without format validation or proper sanitization. On \nthe frontend, comment and bundle descriptions were converted from \nMarkdown to HTML and then injected directly into the DOM using string \ntemplates and innerHTML. This combination allowed an attacker who could \ncreate or edit comments or bundles to store crafted HTML/JavaScript \npayloads which would later be rendered and executed in the browser of \nany user visiting the affected profile page (user.html).\u0026nbsp;\u003c/div\u003e\n\n\u003c/div\u003e\n\n\u003cp\u003eThis issue affects Vulnerability-Lookup: before 2.18.0.\u003c/p\u003e"
                }
              ],
              "value": "In affected versions, vulnerability-lookup handled user-controlled \ncontent in comments and bundles in an unsafe way, which could lead to \nstored Cross-Site Scripting (XSS).\n\n\n\n\nOn the backend, the related_vulnerabilities field of bundles accepted \narbitrary strings without format validation or proper sanitization. On \nthe frontend, comment and bundle descriptions were converted from \nMarkdown to HTML and then injected directly into the DOM using string \ntemplates and innerHTML. This combination allowed an attacker who could \ncreate or edit comments or bundles to store crafted HTML/JavaScript \npayloads which would later be rendered and executed in the browser of \nany user visiting the affected profile page (user.html).\u00a0\n\n\n\n\n\n\n\nThis issue affects Vulnerability-Lookup: before 2.18.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-08T12:15:15.950Z",
            "orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
            "shortName": "ENISA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://vulnerability.circl.lu/vuln/gcve-1-2025-0035"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CSRF vulnerability in CIRCL Vulnerability-Lookup",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
        "assignerShortName": "ENISA",
        "cveId": "CVE-2025-42620",
        "datePublished": "2025-12-08T12:15:15.950Z",
        "dateReserved": "2025-04-16T12:34:02.867Z",
        "dateUpdated": "2025-12-08T12:27:15.797Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-42616 (GCVE-0-2025-42616)

    Vulnerability from cvelistv5 – Published: 2025-12-08 12:09 – Updated: 2025-12-08 14:46
    VLAI
    Title
    CSRF vulnerability in CIRCL Vulnerability-Lookup
    Summary
    Some endpoints in vulnerability-lookup that modified application state (e.g. changing database entries, user data, configurations, or other privileged actions) may have been accessible via HTTP GET requests without requiring a CSRF token. This flaw leaves the application vulnerable to Cross-Site Request Forgery (CSRF) attacks: an attacker who tricks a logged-in user into visiting a malicious website could cause the user’s browser to issue GET requests that perform unintended state-changing operations in the context of their authenticated session. Because the server would treat these GET requests as valid (since no CSRF protection or POST method enforcement was in place), the attacker could exploit this to escalate privileges, change settings, or carry out other unauthorized actions without needing the user’s explicit consent or awareness.  The fix ensures that all state-changing endpoints now require HTTP POST requests and include a valid CSRF token. This enforces that state changes cannot be triggered by arbitrary cross-site GET requests. This issue affects Vulnerability-Lookup: before 2.18.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    CIRCL Vulnerability-Lookup Affected: 0 , < 2.18.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-42616",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-08T14:46:29.136113Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-08T14:46:41.970Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Vulnerability-Lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "lessThan": "2.18.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003eSome endpoints in vulnerability-lookup that modified \napplication state (e.g. changing database entries, user data, \nconfigurations, or other privileged actions) may have been accessible \nvia HTTP GET requests without requiring a CSRF token. This flaw leaves \nthe application vulnerable to Cross-Site Request Forgery (CSRF) attacks:\n an attacker who tricks a logged-in user into visiting a malicious \nwebsite could cause the user\u2019s browser to issue GET requests that \nperform unintended state-changing operations in the context of their \nauthenticated session.\n\n\nBecause the server would treat these GET requests as valid (since no \nCSRF protection or POST method enforcement was in place), the attacker \ncould exploit this to escalate privileges, change settings, or carry out\n other unauthorized actions without needing the user\u2019s explicit consent \nor awareness.\u0026nbsp;\u003cbr\u003eThe fix ensures that all state-changing endpoints now require HTTP POST \nrequests and include a valid CSRF token. This enforces that state \nchanges cannot be triggered by arbitrary cross-site GET requests.\u0026nbsp;This issue affects Vulnerability-Lookup: before 2.18.0.\u003c/div\u003e"
                }
              ],
              "value": "Some endpoints in vulnerability-lookup that modified \napplication state (e.g. changing database entries, user data, \nconfigurations, or other privileged actions) may have been accessible \nvia HTTP GET requests without requiring a CSRF token. This flaw leaves \nthe application vulnerable to Cross-Site Request Forgery (CSRF) attacks:\n an attacker who tricks a logged-in user into visiting a malicious \nwebsite could cause the user\u2019s browser to issue GET requests that \nperform unintended state-changing operations in the context of their \nauthenticated session.\n\n\nBecause the server would treat these GET requests as valid (since no \nCSRF protection or POST method enforcement was in place), the attacker \ncould exploit this to escalate privileges, change settings, or carry out\n other unauthorized actions without needing the user\u2019s explicit consent \nor awareness.\u00a0\nThe fix ensures that all state-changing endpoints now require HTTP POST \nrequests and include a valid CSRF token. This enforces that state \nchanges cannot be triggered by arbitrary cross-site GET requests.\u00a0This issue affects Vulnerability-Lookup: before 2.18.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-08T12:58:58.408Z",
            "orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
            "shortName": "ENISA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://vulnerability.circl.lu/vuln/gcve-1-2025-0034"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CSRF vulnerability in CIRCL Vulnerability-Lookup",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
        "assignerShortName": "ENISA",
        "cveId": "CVE-2025-42616",
        "datePublished": "2025-12-08T12:09:22.893Z",
        "dateReserved": "2025-04-16T12:34:02.866Z",
        "dateUpdated": "2025-12-08T14:46:41.970Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-42615 (GCVE-0-2025-42615)

    Vulnerability from cvelistv5 – Published: 2025-12-08 12:01 – Updated: 2025-12-08 20:10
    VLAI
    Title
    Improper Restriction of Excessive Authentication Attempts vulnerability in CIRCL Vulnerability-Lookup
    Summary
    In affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the account to be locked or generating any specific alert for administrators. This lack of rate-limiting and lockout on OTP failures significantly lowers the cost of online brute-force attacks against 2FA codes and increases the risk of successful account takeover, especially if OTP entropy is reduced (e.g. short numeric codes, user reuse, or predictable tokens). Additionally, administrators had no direct visibility into accounts experiencing repeated 2FA failures, making targeted attacks harder to detect and investigate. The patch introduces a persistent failed_otp_attempts counter on user accounts, locks the user after 5 invalid OTP submissions, resets the counter on successful verification, and surfaces failed 2FA attempts in the admin user list. This enforces an account lockout policy for OTP brute-force attempts and improves monitoring capabilities for suspicious 2FA activity.This issue affects Vulnerability-Lookup: before 2.18.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-307 - Improper Restriction of Excessive Authentication Attempts
    Assigner
    References
    Impacted products
    Vendor Product Version
    CIRCL Vulnerability-Lookup Affected: 0 , < 2.18.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-42615",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-08T16:58:48.964002Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-08T20:10:21.202Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Vulnerability-Lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "lessThan": "2.18.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In affected versions, vulnerability-lookup did not track or limit failed\n One-Time Password (OTP) attempts during Two-Factor Authentication (2FA)\n verification. An attacker who already knew or guessed a valid username \nand password could submit an arbitrary number of OTP codes without \ncausing the account to be locked or generating any specific alert for \nadministrators.\n\n\nThis lack of rate-limiting and lockout on OTP failures significantly \nlowers the cost of online brute-force attacks against 2FA codes and \nincreases the risk of successful account takeover, especially if OTP \nentropy is reduced (e.g. short numeric codes, user reuse, or predictable\n tokens). Additionally, administrators had no direct visibility into \naccounts experiencing repeated 2FA failures, making targeted attacks \nharder to detect and investigate.\n\n\nThe patch introduces a persistent failed_otp_attempts counter on user \naccounts, locks the user after 5 invalid OTP submissions, resets the \ncounter on successful verification, and surfaces failed 2FA attempts in \nthe admin user list. This enforces an account lockout policy for OTP \nbrute-force attempts and improves monitoring capabilities for suspicious\n 2FA activity.\u003cp\u003eThis issue affects Vulnerability-Lookup: before 2.18.0.\u003c/p\u003e"
                }
              ],
              "value": "In affected versions, vulnerability-lookup did not track or limit failed\n One-Time Password (OTP) attempts during Two-Factor Authentication (2FA)\n verification. An attacker who already knew or guessed a valid username \nand password could submit an arbitrary number of OTP codes without \ncausing the account to be locked or generating any specific alert for \nadministrators.\n\n\nThis lack of rate-limiting and lockout on OTP failures significantly \nlowers the cost of online brute-force attacks against 2FA codes and \nincreases the risk of successful account takeover, especially if OTP \nentropy is reduced (e.g. short numeric codes, user reuse, or predictable\n tokens). Additionally, administrators had no direct visibility into \naccounts experiencing repeated 2FA failures, making targeted attacks \nharder to detect and investigate.\n\n\nThe patch introduces a persistent failed_otp_attempts counter on user \naccounts, locks the user after 5 invalid OTP submissions, resets the \ncounter on successful verification, and surfaces failed 2FA attempts in \nthe admin user list. This enforces an account lockout policy for OTP \nbrute-force attempts and improves monitoring capabilities for suspicious\n 2FA activity.This issue affects Vulnerability-Lookup: before 2.18.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-307",
                  "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-08T12:01:05.831Z",
            "orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
            "shortName": "ENISA"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://vulnerability.circl.lu/vuln/gcve-1-2025-0033"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Restriction of Excessive Authentication Attempts vulnerability in CIRCL Vulnerability-Lookup",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
        "assignerShortName": "ENISA",
        "cveId": "CVE-2025-42615",
        "datePublished": "2025-12-08T12:01:05.831Z",
        "dateReserved": "2025-04-16T12:34:02.866Z",
        "dateUpdated": "2025-12-08T20:10:21.202Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-60249 (GCVE-0-2025-60249)

    Vulnerability from cvelistv5 – Published: 2025-09-25 00:00 – Updated: 2025-09-26 17:44
    VLAI
    Summary
    vulnerability-lookup 2.16.0 allows XSS in bundle.py, comment.py, and user.py, by a user on a vulnerability-lookup instance who can add bundles, comments, or sightings. A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Bundles, Comments, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and improving input validation in the affected models.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    CIRCL vulnerability-lookup Affected: 2.16.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-60249",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-26T17:43:48.433562Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-26T17:44:06.988Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "vulnerability-lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.16.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vulnerability-lookup 2.16.0 allows XSS in bundle.py, comment.py, and user.py, by a user on a vulnerability-lookup instance who can add bundles, comments, or sightings. A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Bundles, Comments, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and improving input validation in the affected models."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-25T17:14:03.641Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/afa12347f1461d9481eba75ac19897e80a9c7434"
            }
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-60249",
        "datePublished": "2025-09-25T00:00:00.000Z",
        "dateReserved": "2025-09-25T00:00:00.000Z",
        "dateUpdated": "2025-09-26T17:44:06.988Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-32413 (GCVE-0-2025-32413)

    Vulnerability from cvelistv5 – Published: 2025-04-08 00:00 – Updated: 2025-04-08 14:52
    VLAI
    Summary
    Vulnerability-Lookup before 2.7.1 allows stored XSS via a user bio in website/web/views/user.py.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    CIRCL Vulnerability-Lookup Affected: 0 , < 2.7.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32413",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-08T14:28:55.601560Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-08T14:52:10.347Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Vulnerability-Lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "lessThan": "2.7.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Vulnerability-Lookup before 2.7.1 allows stored XSS via a user bio in website/web/views/user.py."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-08T02:27:52.326Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/0a120af1de4a0a13bc2e2000f3c4639291122ba0"
            },
            {
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/compare/v2.7.0...v2.7.1"
            }
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-32413",
        "datePublished": "2025-04-08T00:00:00.000Z",
        "dateReserved": "2025-04-08T00:00:00.000Z",
        "dateUpdated": "2025-04-08T14:52:10.347Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    GCVE-1-2025-0035 (CVE-2025-42620)

    Vulnerability from gna-1 – Published: 2025-12-08 10:25 – Updated: 2025-12-08 12:14
    VLAI
    Title
    Insufficient sanitization of bundle metadata (available to admin only) and unsafe DOM construction allows stored XSS
    Summary
    In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS). On the backend, the related_vulnerabilities field of bundles accepted arbitrary strings without format validation or proper sanitization. On the frontend, comment and bundle descriptions were converted from Markdown to HTML and then injected directly into the DOM using string templates and innerHTML. This combination allowed an attacker who could create or edit comments or bundles to store crafted HTML/JavaScript payloads which would later be rendered and executed in the browser of any user visiting the affected profile page (user.html).
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    CIRCL vulnerability-lookup Affected: < 2.18.0
    Create a notification for this product.
    Credits
    ENISA Cedric Bonhomme

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "vulnerability-lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "lessThan": "2.18.0",
                  "status": "affected"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ENISA"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Cedric Bonhomme"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\nIn affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS).\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eOn the backend, the \u003ccode\u003erelated_vulnerabilities\u003c/code\u003e field of bundles accepted arbitrary strings without format validation or proper sanitization. On the frontend, comment and bundle descriptions were converted from Markdown to HTML and then injected directly into the DOM using string templates and \u003ccode\u003einnerHTML\u003c/code\u003e. This combination allowed an attacker who could create or edit comments or bundles to store crafted HTML/JavaScript payloads which would later be rendered and executed in the browser of any user visiting the affected profile page (\u003ccode\u003euser.html\u003c/code\u003e).\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS).\n\n\n\n\nOn the backend, the related_vulnerabilities field of bundles accepted arbitrary strings without format validation or proper sanitization. On the frontend, comment and bundle descriptions were converted from Markdown to HTML and then injected directly into the DOM using string templates and innerHTML. This combination allowed an attacker who could create or edit comments or bundles to store crafted HTML/JavaScript payloads which would later be rendered and executed in the browser of any user visiting the affected profile page (user.html)."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-63",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-63 Cross-Site Scripting (XSS)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "orgId": "00000000-0000-4000-9000-000000000000"
          },
          "references": [
            {
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/1811ef92b3d9555bb4ca731266bfebc3090f2ea9"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Insufficient sanitization of bundle metadata (available to admin only) and unsafe DOM construction allows stored XSS",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "00000000-0000-4000-9000-000000000000",
        "cveId": "CVE-2025-42620",
        "datePublished": "2025-12-08T10:25:00.000Z",
        "dateUpdated": "2025-12-08T12:14:06.307298Z",
        "requesterUserId": "00000000-0000-4000-9000-000000000000",
        "serial": 1,
        "state": "PUBLISHED",
        "vulnId": "GCVE-1-2025-0035",
        "vulnerabilitylookup_history": [
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-12-08T10:25:13.022469Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-12-08T12:14:06.307298Z"
          ]
        ]
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    GCVE-1-2025-0034 (CVE-2025-42616)

    Vulnerability from gna-1 – Published: 2025-12-08 10:19 – Updated: 2025-12-08 12:13
    VLAI
    Title
    Missing CSRF protection on state-changing endpoints in Vulnerability-Lookup, potential cross-site request forgery (CSRF)
    Summary
    Before the fix, some endpoints in vulnerability-lookup that modified application state (e.g. changing database entries, user data, configurations, or other privileged actions) may have been accessible via HTTP GET requests without requiring a CSRF token. This flaw leaves the application vulnerable to Cross-Site Request Forgery (CSRF) attacks: an attacker who tricks a logged-in user into visiting a malicious website could cause the user’s browser to issue GET requests that perform unintended state-changing operations in the context of their authenticated session. Because the server would treat these GET requests as valid (since no CSRF protection or POST method enforcement was in place), the attacker could exploit this to escalate privileges, change settings, or carry out other unauthorized actions without needing the user’s explicit consent or awareness. The fix ensures that all state-changing endpoints now require HTTP POST requests and include a valid CSRF token. This enforces that state changes cannot be triggered by arbitrary cross-site GET requests.
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    CIRCL vulnerability-lookup Affected: < 2.18.0
    Create a notification for this product.
    Credits
    ENISA Cedric Bonhomme

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "vulnerability-lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "lessThan": "2.18.0",
                  "status": "affected"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ENISA"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Cedric Bonhomme"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eBefore the fix, some endpoints in vulnerability-lookup that modified application state (e.g. changing database entries, user data, configurations, or other privileged actions) may have been accessible via HTTP GET requests without requiring a CSRF token. This flaw leaves the application vulnerable to Cross-Site Request Forgery (CSRF) attacks: an attacker who tricks a logged-in user into visiting a malicious website could cause the user\u2019s browser to issue GET requests that perform unintended state-changing operations in the context of their authenticated session.\u003c/p\u003e\n\u003cp\u003eBecause the server would treat these GET requests as valid (since no CSRF protection or POST method enforcement was in place), the attacker could exploit this to escalate privileges, change settings, or carry out other unauthorized actions without needing the user\u2019s explicit consent or awareness.\u003c/p\u003e\n\u003cp\u003eThe fix ensures that \u003cstrong\u003eall\u003c/strong\u003e state-changing endpoints now require HTTP POST requests and include a valid CSRF token. This enforces that state changes cannot be triggered by arbitrary cross-site GET requests.\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "Before the fix, some endpoints in vulnerability-lookup that modified application state (e.g. changing database entries, user data, configurations, or other privileged actions) may have been accessible via HTTP GET requests without requiring a CSRF token. This flaw leaves the application vulnerable to Cross-Site Request Forgery (CSRF) attacks: an attacker who tricks a logged-in user into visiting a malicious website could cause the user\u2019s browser to issue GET requests that perform unintended state-changing operations in the context of their authenticated session.\n\n\nBecause the server would treat these GET requests as valid (since no CSRF protection or POST method enforcement was in place), the attacker could exploit this to escalate privileges, change settings, or carry out other unauthorized actions without needing the user\u2019s explicit consent or awareness.\n\n\nThe fix ensures that all state-changing endpoints now require HTTP POST requests and include a valid CSRF token. This enforces that state changes cannot be triggered by arbitrary cross-site GET requests."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "orgId": "00000000-0000-4000-9000-000000000000"
          },
          "references": [
            {
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/a6c568db7bfcf6135bb963c225ff6d0961914a50"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing CSRF protection on state-changing endpoints in Vulnerability-Lookup, potential cross-site request forgery (CSRF)",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "00000000-0000-4000-9000-000000000000",
        "cveId": "CVE-2025-42616",
        "datePublished": "2025-12-08T10:19:00.000Z",
        "dateUpdated": "2025-12-08T12:13:24.197294Z",
        "requesterUserId": "00000000-0000-4000-9000-000000000000",
        "serial": 1,
        "state": "PUBLISHED",
        "vulnId": "GCVE-1-2025-0034",
        "vulnerabilitylookup_history": [
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-12-08T10:19:06.073025Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-12-08T12:13:24.197294Z"
          ]
        ]
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    GCVE-1-2025-0033 (CVE-2025-42615)

    Vulnerability from gna-1 – Published: 2025-12-08 10:11 – Updated: 2025-12-08 12:12
    VLAI
    Title
    Vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification.
    Summary
    In affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the account to be locked or generating any specific alert for administrators. This lack of rate-limiting and lockout on OTP failures significantly lowers the cost of online brute-force attacks against 2FA codes and increases the risk of successful account takeover, especially if OTP entropy is reduced (e.g. short numeric codes, user reuse, or predictable tokens). Additionally, administrators had no direct visibility into accounts experiencing repeated 2FA failures, making targeted attacks harder to detect and investigate. The patch introduces a persistent failed_otp_attempts counter on user accounts, locks the user after 5 invalid OTP submissions, resets the counter on successful verification, and surfaces failed 2FA attempts in the admin user list. This enforces an account lockout policy for OTP brute-force attempts and improves monitoring capabilities for suspicious 2FA activity.
    CWE
    • CWE-307 - Improper Restriction of Excessive Authentication Attempts
    Assigner
    Impacted products
    Vendor Product Version
    CIRCL vulnerability-lookup Affected: < 2.18.0
    Create a notification for this product.
    Credits
    Cedric Bonhomme ENISA

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "vulnerability-lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "lessThan": "2.18.0",
                  "status": "affected"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Cedric Bonhomme"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "ENISA"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIn affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the account to be locked or generating any specific alert for administrators.\u003c/p\u003e\n\u003cp\u003eThis lack of rate-limiting and lockout on OTP failures significantly lowers the cost of online brute-force attacks against 2FA codes and increases the risk of successful account takeover, especially if OTP entropy is reduced (e.g. short numeric codes, user reuse, or predictable tokens). Additionally, administrators had no direct visibility into accounts experiencing repeated 2FA failures, making targeted attacks harder to detect and investigate.\u003c/p\u003e\n\u003cp\u003eThe patch introduces a persistent \u003ccode\u003efailed_otp_attempts\u003c/code\u003e counter on user accounts, locks the user after 5 invalid OTP submissions, resets the counter on successful verification, and surfaces failed 2FA attempts in the admin user list. This enforces an account lockout policy for OTP brute-force attempts and improves monitoring capabilities for suspicious 2FA activity.\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "In affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the account to be locked or generating any specific alert for administrators.\n\n\nThis lack of rate-limiting and lockout on OTP failures significantly lowers the cost of online brute-force attacks against 2FA codes and increases the risk of successful account takeover, especially if OTP entropy is reduced (e.g. short numeric codes, user reuse, or predictable tokens). Additionally, administrators had no direct visibility into accounts experiencing repeated 2FA failures, making targeted attacks harder to detect and investigate.\n\n\nThe patch introduces a persistent failed_otp_attempts counter on user accounts, locks the user after 5 invalid OTP submissions, resets the counter on successful verification, and surfaces failed 2FA attempts in the admin user list. This enforces an account lockout policy for OTP brute-force attempts and improves monitoring capabilities for suspicious 2FA activity."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-307",
                  "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "orgId": "00000000-0000-4000-9000-000000000000"
          },
          "references": [
            {
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/113b1fe49fea2dd964a7da6b1e7f300be0fa3dfc"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "00000000-0000-4000-9000-000000000000",
        "cveId": "CVE-2025-42615",
        "datePublished": "2025-12-08T10:11:00.000Z",
        "dateUpdated": "2025-12-08T12:12:53.235996Z",
        "requesterUserId": "00000000-0000-4000-9000-000000000000",
        "serial": 1,
        "state": "PUBLISHED",
        "vulnId": "GCVE-1-2025-0033",
        "vulnerabilitylookup_history": [
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-12-08T10:11:44.833694Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-12-08T12:12:53.235996Z"
          ]
        ]
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    GCVE-1-2025-0009

    Vulnerability from gna-1 – Published: 2025-10-13 09:20 – Updated: 2025-10-13 09:20
    VLAI
    Title
    A pre-auth user could self-assign a reporter without being authenticated
    Summary
    A pre-auth user could self-assign a reporter without being authenticated
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Credits
    🕵️‍♂️ Jeroen Pinoy - @Wachizungu 🐞 Cedric Bonhomme 📸 Alexandre Dulaunoy 🎨

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "vulnerability-lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "status": "affected"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jeroen Pinoy  - @Wachizungu"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Cedric Bonhomme"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Alexandre Dulaunoy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A pre-auth user could self-assign a reporter without being authenticated"
                }
              ],
              "value": "A pre-auth user could self-assign a reporter without being authenticated"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "orgId": "00000000-0000-4000-9000-000000000000"
          },
          "references": [
            {
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/6f7b4af932ebd04fa899eb7780fb6b007f442eac"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "A pre-auth user could self-assign a reporter without being authenticated",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "00000000-0000-4000-9000-000000000000",
        "datePublished": "2025-10-13T09:20:24.800890Z",
        "dateUpdated": "2025-10-13T09:20:24.800890Z",
        "requesterUserId": "00000000-0000-4000-9000-000000000000",
        "serial": 1,
        "state": "PUBLISHED",
        "vulnId": "GCVE-1-2025-0009",
        "vulnerabilitylookup_history": [
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-10-13T09:20:24.800890Z"
          ]
        ]
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    GCVE-1-2025-0008

    Vulnerability from gna-1 – Published: 2025-10-13 09:10 – Updated: 2025-10-13 09:15
    VLAI
    Title
    Logged users can view vulnerability disclosure comments if they know the ID
    Summary
    Logged users can view vulnerability disclosure comments if they know the ID instead of the limited view (date of disclosure).
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    🕵️‍♂️ Jeroen Pinoy - @Wachizungu 🐞 Cedric Bonhomme 📸 Alexandre Dulaunoy 🎨

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "vulnerability-lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "status": "affected"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jeroen Pinoy  - @Wachizungu"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Cedric Bonhomme"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Alexandre Dulaunoy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Logged users can view vulnerability disclosure comments if they know the ID instead of the limited view (date of disclosure)."
                }
              ],
              "value": "Logged users can view vulnerability disclosure comments if they know the ID instead of the limited view (date of disclosure)."
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "orgId": "00000000-0000-4000-9000-000000000000"
          },
          "references": [
            {
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/aabc899c7d76dca0cf66718bbd2fb95cfd31b0ed"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Logged users can view vulnerability disclosure comments if they know the ID",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "00000000-0000-4000-9000-000000000000",
        "datePublished": "2025-10-13T09:10:00.000Z",
        "dateUpdated": "2025-10-13T09:15:31.637686Z",
        "requesterUserId": "00000000-0000-4000-9000-000000000000",
        "serial": 1,
        "state": "PUBLISHED",
        "vulnId": "GCVE-1-2025-0008",
        "vulnerabilitylookup_history": [
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-10-13T09:10:54.912715Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-10-13T09:15:31.637686Z"
          ]
        ]
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    GCVE-1-2025-0007

    Vulnerability from gna-1 – Published: 2025-10-13 08:37 – Updated: 2025-10-13 08:51
    VLAI
    Title
    Missing email validation on user management
    Summary
    Missing email validation on user management when user change his/her password which means no email validation would have been seen by the user. This GCVE vulnerability is more informational than a directly exploitable vulnerability.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Credits
    🕵️‍♂️ Jeroen Pinoy - @Wachizungu 🐞 Cedric Bonhomme 📸 Alexandre Dulaunoy 🎨

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "vulnerability-lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "status": "affected"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jeroen Pinoy  - @Wachizungu"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Cedric Bonhomme"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Alexandre Dulaunoy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing email validation on user management when user change his/her password which means no email validation would have been seen by the user. This GCVE vulnerability is more informational than a directly exploitable vulnerability."
                }
              ],
              "value": "Missing email validation on user management when user change his/her password which means no email validation would have been seen by the user. This GCVE vulnerability is more informational than a directly exploitable vulnerability."
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NO",
                "Recovery": "NOT_DEFINED",
                "Safety": "NEGLIGIBLE",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 4.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "CLEAR",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/S:N/AU:N/U:Clear",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "orgId": "00000000-0000-4000-9000-000000000000"
          },
          "references": [
            {
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/326ce42d8661603b4b3b3c5d45992758de0f804a"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing email validation on user management",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "00000000-0000-4000-9000-000000000000",
        "datePublished": "2025-10-13T08:37:00.000Z",
        "dateUpdated": "2025-10-13T08:51:37.408861Z",
        "requesterUserId": "00000000-0000-4000-9000-000000000000",
        "serial": 1,
        "state": "PUBLISHED",
        "vulnId": "GCVE-1-2025-0007",
        "vulnerabilitylookup_history": [
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-10-13T08:37:18.494750Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-10-13T08:51:37.408861Z"
          ]
        ]
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    GCVE-1-2025-0006

    Vulnerability from gna-1 – Published: 2025-10-13 08:29 – Updated: 2025-10-13 08:52
    VLAI
    Title
    Potential XSS in admin CPE in organization model
    Summary
    Potential self XSS in admin in the CPE add interface in the models/organization.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    🕵️‍♂️ Jeroen Pinoy - @Wachizungu 🐞 Cedric Bonhomme 📸 Alexandre Dulaunoy 🎨

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "vulnerability-lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "status": "affected"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jeroen Pinoy  - @Wachizungu"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Cedric Bonhomme"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Alexandre Dulaunoy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Potential self XSS in admin in the CPE add interface in the models/organization."
                }
              ],
              "value": "Potential self XSS in admin in the CPE add interface in the models/organization."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-549",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-549 Local Execution of Code"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "orgId": "00000000-0000-4000-9000-000000000000"
          },
          "references": [
            {
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/540366000f2fa27b08bbcc42b1e89927b68b9df6"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Potential XSS in admin CPE in organization model",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "00000000-0000-4000-9000-000000000000",
        "datePublished": "2025-10-13T08:29:00.000Z",
        "dateUpdated": "2025-10-13T08:52:23.411325Z",
        "requesterUserId": "00000000-0000-4000-9000-000000000000",
        "serial": 1,
        "state": "PUBLISHED",
        "vulnId": "GCVE-1-2025-0006",
        "vulnerabilitylookup_history": [
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-10-13T08:29:46.581792Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-10-13T08:52:23.411325Z"
          ]
        ]
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    GCVE-1-2025-0005

    Vulnerability from gna-1 – Published: 2025-10-13 08:23 – Updated: 2025-10-13 08:23
    VLAI
    Title
    Reflected XSS due to insecure use of Markup
    Summary
    Insecure use of Markup in views/home which leads to potential reflected XSS.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    CIRCL vulnerability-lookup Affected: ≤ 2.16
    Create a notification for this product.
    Date Public
    2025-10-10 23:00
    Credits
    🕵️‍♂️ Jeroen Pinoy - @Wachizungu 🐞 Cedric Bonhomme 📸 Alexandre Dulaunoy 🎨

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "vulnerability-lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "lessThanOrEqual": "2.16",
                  "status": "affected"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jeroen Pinoy  - @Wachizungu"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Cedric Bonhomme"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Alexandre Dulaunoy"
            }
          ],
          "datePublic": "2025-10-10T23:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Insecure use of Markup in views/home which leads to potential reflected XSS."
                }
              ],
              "value": "Insecure use of Markup in views/home which leads to potential reflected XSS."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-549",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-549 Local Execution of Code"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "orgId": "00000000-0000-4000-9000-000000000000"
          },
          "references": [
            {
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/378ccdf95882d1a02576552e26ce222cde0bd636"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Reflected XSS due to insecure use of Markup",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "00000000-0000-4000-9000-000000000000",
        "datePublished": "2025-10-13T08:23:29.812914Z",
        "dateUpdated": "2025-10-13T08:23:29.812914Z",
        "requesterUserId": "00000000-0000-4000-9000-000000000000",
        "serial": 1,
        "state": "PUBLISHED",
        "vulnId": "GCVE-1-2025-0005",
        "vulnerabilitylookup_history": [
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-10-13T08:23:29.812914Z"
          ]
        ]
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    GCVE-1-2025-0004 (CVE-2025-60249)

    Vulnerability from gna-1 – Published: 2025-09-25 14:10 – Updated: 2025-11-19 10:16
    VLAI
    Title
    XSS in Comments, Bundles, and Sightings component of vulnerability-lookup
    Summary
    A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Comments, Bundles, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and improving input validation in the affected models.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    CIRCL vulnerability-lookup Affected: < 2.16.0
    Create a notification for this product.
    Credits
    🕵️‍♂️ @Wachizungu 🐞

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "vulnerability-lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "lessThan": "2.16.0",
                  "status": "affected"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "@Wachizungu"
            },
            {
              "lang": "en",
              "type": "finder"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Comments, Bundles, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of \u003ccode\u003einnerHTML\u003c/code\u003e and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing \u003ccode\u003einnerHTML\u003c/code\u003e assignments with safer DOM methods, encoding URLs with \u003ccode\u003eencodeURIComponent\u003c/code\u003e, and improving input validation in the affected models."
                }
              ],
              "value": "A cross-site scripting (XSS) vulnerability was discovered in the handling of user-supplied input in the Comments, Bundles, and Sightings components. Untrusted data was not properly sanitized before being rendered in templates and tables, which could allow attackers to inject arbitrary JavaScript into the application. The issue was due to unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. This vulnerability has been fixed by escaping untrusted data, replacing innerHTML assignments with safer DOM methods, encoding URLs with encodeURIComponent, and improving input validation in the affected models."
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "orgId": "00000000-0000-4000-9000-000000000000"
          },
          "references": [
            {
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/afa12347f1461d9481eba75ac19897e80a9c7434"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "XSS in Comments, Bundles, and Sightings component of vulnerability-lookup",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "00000000-0000-4000-9000-000000000000",
        "cveId": "cve-2025-60249",
        "datePublished": "2025-09-25T14:10:00.000Z",
        "dateUpdated": "2025-11-19T10:16:47.656802Z",
        "requesterUserId": "00000000-0000-4000-9000-000000000000",
        "serial": 1,
        "state": "PUBLISHED",
        "vulnId": "gcve-1-2025-0004",
        "vulnerabilitylookup_history": [
          [
            "alexandre.dulaunoy@circl.lu",
            "2025-09-25T14:10:26.445421Z"
          ],
          [
            "cedric.bonhomme@circl.lu",
            "2025-11-19T10:16:47.656802Z"
          ]
        ]
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    GCVE-1-2025-0001

    Vulnerability from gna-1 – Published: 2025-05-27 08:58 – Updated: 2025-05-30 14:27
    VLAI
    Title
    The absence of a password confirmation step when deactivating an account allows a CSRF request to potentially initiate the deactivation for an authenticated user.
    Summary
    The absence of a password confirmation step when deactivating an account allows a CSRF request to potentially initiate the deactivation for an authenticated user.
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    CIRCL Vulnerability-Lookup Affected: ≤ 2.10.0 (semver)
    Create a notification for this product.
    Date Public
    2025-05-27 08:57
    Credits
    Devansh Chauhan

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Vulnerability-Lookup",
              "repo": "https://github.com/vulnerability-lookup/vulnerability-lookup",
              "vendor": "CIRCL",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.10.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.10.0",
                  "status": "affected",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Devansh Chauhan"
            }
          ],
          "datePublic": "2025-05-27T08:57:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe absence of a password confirmation step when deactivating an account allows a CSRF request to potentially initiate the deactivation for an authenticated user.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "The absence of a password confirmation step when deactivating an account allows a CSRF request to potentially initiate the deactivation for an authenticated user."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-62",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-62 Cross Site Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "USER",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "CLEAR",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L/AU:Y/R:U/RE:L/U:Clear",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "LOW"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "orgId": "00000000-0000-4000-9000-000000000000"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/cf9000ec0bb17b5d2ff8fe5177e5bd14d666bd08"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.10.1"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "The absence of a password confirmation step when deactivating an account allows a CSRF request to potentially initiate the deactivation for an authenticated user.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "00000000-0000-4000-9000-000000000000",
        "datePublished": "2025-05-27T08:58:00.000Z",
        "dateUpdated": "2025-05-30T14:27:56.273945Z",
        "requesterUserId": "00000000-0000-4000-9000-000000000000",
        "serial": 1,
        "state": "PUBLISHED",
        "vulnId": "GCVE-1-2025-0001",
        "vulnerabilitylookup_history": [
          [
            "cedric.bonhomme@circl.lu",
            "2025-05-27T08:58:26.587622Z"
          ],
          [
            "cedric.bonhomme@circl.lu",
            "2025-05-27T12:19:23.219289Z"
          ],
          [
            "cedric.bonhomme@circl.lu",
            "2025-05-27T12:22:53.439544Z"
          ],
          [
            "cedric.bonhomme@circl.lu",
            "2025-05-27T12:23:35.245899Z"
          ],
          [
            "cedric.bonhomme@circl.lu",
            "2025-05-30T14:18:32.214488Z"
          ],
          [
            "cedric.bonhomme@circl.lu",
            "2025-05-30T14:27:56.273945Z"
          ]
        ]
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }