{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11687", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-10-13T13:26:57.703Z", "datePublished": "2026-01-26T19:36:28.947Z", "dateUpdated": "2026-01-26T21:02:29.343Z"}, "containers": {"cna": {"title": "Gi-docgen: reflected dom xss in gi-docgen", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page \u2014 enabling DOM access, session cookie theft and other client-side attacks \u2014 via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS)."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "2025.5", "versionType": "semver"}], "packageName": "gi-docgen", "collectionURL": "https://gitlab.gnome.org/GNOME/gi-docgen/", "defaultStatus": "unaffected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-11687", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403536", "name": "RHBZ#2403536", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228"}], "datePublic": "2025-10-03T22:22:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2025-10-13T13:15:37.399000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-10-03T22:22:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-01-26T19:36:28.947Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T21:01:55.875258Z", "id": "CVE-2025-11687", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T21:02:29.343Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11687", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-10-13T13:26:57.703Z", "datePublished": "2026-01-26T19:36:28.947Z", "dateUpdated": "2026-01-26T21:02:29.343Z"}, "containers": {"cna": {"title": "Gi-docgen: reflected dom xss in gi-docgen", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page \u2014 enabling DOM access, session cookie theft and other client-side attacks \u2014 via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS)."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "2025.5", "versionType": "semver"}], "packageName": "gi-docgen", "collectionURL": "https://gitlab.gnome.org/GNOME/gi-docgen/", "defaultStatus": "unaffected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-11687", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403536", "name": "RHBZ#2403536", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228"}], "datePublic": "2025-10-03T22:22:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2025-10-13T13:15:37.399000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-10-03T22:22:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-01-26T19:36:28.947Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11687", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T21:01:55.875258Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T21:02:26.797Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page \u2014 enabling DOM access, session cookie theft and other client-side attacks \u2014 via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS)."}], "id": "CVE-2025-11687", "lastModified": "2026-01-26T20:16:07.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-01-26T20:16:07.817", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-11687"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403536"}, {"source": "secalert@redhat.com", "url": "https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{}

{}