CVE-2025-41065 (GCVE-0-2025-41065)

Vulnerability from cvelistv5 – Published: 2026-02-03 09:27 – Updated: 2026-02-03 17:16
VLAI?
Title
Stored Cross-Site Scripting (XSS) in LUNA from Luna Imaging
Summary
Stored Cross-Site Scripting (XSS) vulnerability type in LUNA software v7.5.5.6. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by inyecting a malicious payload through the 'Edit Batch Name' function. THe payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Severity ?
5.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
Luna Imaging LUNA Affected: 7.5.5.6
Create a notification for this product.
Credits
Miguel Segovia Gil
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-41065",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T17:16:47.893766Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T17:16:58.867Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "LUNA",
          "vendor": "Luna Imaging",
          "versions": [
            {
              "status": "affected",
              "version": "7.5.5.6"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:luna_imaging:luna:7.5.5.6:*:*:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Miguel Segovia Gil"
        }
      ],
      "datePublic": "2026-02-02T11:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Stored Cross-Site Scripting (XSS) vulnerability type in LUNA software v7.5.5.6. This vulnerability allows an attacker to execute JavaScript code in the victim\u0027s browser by inyecting a malicious payload through the \u0027Edit Batch Name\u0027 function. THe payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user."
            }
          ],
          "value": "Stored Cross-Site Scripting (XSS) vulnerability type in LUNA software v7.5.5.6. This vulnerability allows an attacker to execute JavaScript code in the victim\u0027s browser by inyecting a malicious payload through the \u0027Edit Batch Name\u0027 function. THe payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T09:27:01.117Z",
        "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "shortName": "INCIBE"
      },
      "references": [
        {
          "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-luna-luna-imaging"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Stored Cross-Site Scripting (XSS) in LUNA from Luna Imaging",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
    "assignerShortName": "INCIBE",
    "cveId": "CVE-2025-41065",
    "datePublished": "2026-02-03T09:27:01.117Z",
    "dateReserved": "2025-04-16T09:09:34.457Z",
    "dateUpdated": "2026-02-03T17:16:58.867Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-41065\",\"sourceIdentifier\":\"cve-coordination@incibe.es\",\"published\":\"2026-02-03T10:15:55.140\",\"lastModified\":\"2026-02-03T16:44:03.343\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Stored Cross-Site Scripting (XSS) vulnerability type in LUNA software v7.5.5.6. This vulnerability allows an attacker to execute JavaScript code in the victim\u0027s browser by inyecting a malicious payload through the \u0027Edit Batch Name\u0027 function. THe payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-luna-luna-imaging\",\"source\":\"cve-coordination@incibe.es\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-41065\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-03T17:16:47.893766Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-03T17:16:54.545Z\"}}], \"cna\": {\"title\": \"Stored Cross-Site Scripting (XSS) in LUNA from Luna Imaging\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Miguel Segovia Gil\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Luna Imaging\", \"product\": \"LUNA\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.5.5.6\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-02-02T11:00:00.000Z\", \"references\": [{\"url\": \"https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-luna-luna-imaging\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Stored Cross-Site Scripting (XSS) vulnerability type in LUNA software v7.5.5.6. This vulnerability allows an attacker to execute JavaScript code in the victim\u0027s browser by inyecting a malicious payload through the \u0027Edit Batch Name\u0027 function. THe payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Stored Cross-Site Scripting (XSS) vulnerability type in LUNA software v7.5.5.6. This vulnerability allows an attacker to execute JavaScript code in the victim\u0027s browser by inyecting a malicious payload through the \u0027Edit Batch Name\u0027 function. THe payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:luna_imaging:luna:7.5.5.6:*:*:*:*:*:*:*\", \"vulnerable\": true}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"0cbda920-cd7f-484a-8e76-bf7f4b7f4516\", \"shortName\": \"INCIBE\", \"dateUpdated\": \"2026-02-03T09:27:01.117Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-41065\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-03T17:16:58.867Z\", \"dateReserved\": \"2025-04-16T09:09:34.457Z\", \"assignerOrgId\": \"0cbda920-cd7f-484a-8e76-bf7f4b7f4516\", \"datePublished\": \"2026-02-03T09:27:01.117Z\", \"assignerShortName\": \"INCIBE\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.