CVE-2025-51489

Published: Aug 19, 2025Modified: Aug 21, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.5, allowing remote attackers to upload a malicious SVG file when creating/updating an Article and correctly execute arbitrary JavaScript when the file link is opened.

Affected (1)

Products: Moonshine: Moonshine

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Moonshine Moonshine	Before 3.12.5

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://github.com/GiacoLenzo2109/MoonShine_Software_PoCs

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/moonshine-software/moonshine

Source: cve@mitre.org

Product

Timeline

No history available yet.