CVE-2025-65592

Published: Dec 16, 2025Modified: Dec 19, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the "Product Name" and "Short Description" fields are stored in the backend database and executed automatically whenever a user views the affected pages.

Affected (1)

Products: Nopcommerce: Nopcommerce

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Nopcommerce Nopcommerce	Version 4.90.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (3)

https://seclists.org/fulldisclosure/2025/Dec/19

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://www.nopcommerce.com/

Source: cve@mitre.org

Product

http://seclists.org/fulldisclosure/2025/Dec/19

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.