CVE-2025-69606

Published May 1, 2026

Last updated 3 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-69606 identifies a Cross-Site Scripting (XSS) vulnerability found in version 2.0.90 of the GSVoIP web panel. Specifically, the `msg` parameter within the `/painel/gateways.php/error` endpoint is susceptible to this flaw. The vulnerability arises because the affected software does not adequately sanitize user-provided input, enabling attackers to inject arbitrary JavaScript code into the HTML response. Exploitation of this vulnerability can occur when a remote attacker crafts a malicious URL containing the XSS payload and sends it to a victim. If the victim interacts with this crafted URL, the injected JavaScript can execute in their browser. This unauthorized script execution could potentially lead to various client-side attacks, including session hijacking, phishing attempts, or other forms of data manipulation.

Description: Cross-Site Scripting (XSS) vulnerability was discovered in the GSVoIP web panel version 2.0.90. The `msg` parameter in the `/painel/gateways.php/error` endpoint does not properly sanitize user-supplied input, allowing attackers to inject arbitrary JavaScript into the HTML response. A remote attacker can exploit this vulnerability by sending a crafted URL to a victim, leading to unauthorized script execution, session hijacking, phishing, or other client-side attacks.
Source: cve@mitre.org
NVD status: Received

Risk scores

CVSS 3.1

Type: Secondary
Base score: 6.1
Impact score: 2.7
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-79

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 1

References