CVE-2025-13672

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Reflected XSS. The vulnerability could allow injecting malicious JavaScript inside URL parameters that was then rendered with the preview of the page, so that malicious scripts could be executed on the client side. This issue affects Web Site Management Server: 16.7.0, 16.7.1.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://support.opentext.com/csm/en?id=ot_kb_unauthenticated&sysparm_article=KB0854847	Vendor Advisory
https://github.com/MarioTesoro/vulnerability-research/blob/main/CVE-2025-13672/README.md	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:opentext:web_site_management_server:16.7.0:::::::*
	cpe:2.3:a:opentext:web_site_management_server:16.7.1:::::::*

History

27 Feb 2026, 23:55

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
First Time		Opentext Opentext web Site Management Server
CPE		cpe:2.3:a:opentext:web_site_management_server:16.7.0:::::::* cpe:2.3:a:opentext:web_site_management_server:16.7.1:::::::*
References	~~() https://support.opentext.com/csm/en?id=ot_kb_unauthenticated&sysparm_article=KB0854847 -~~	() https://support.opentext.com/csm/en?id=ot_kb_unauthenticated&sysparm_article=KB0854847 - Vendor Advisory
References	~~() https://github.com/MarioTesoro/vulnerability-research/blob/main/CVE-2025-13672/README.md -~~	() https://github.com/MarioTesoro/vulnerability-research/blob/main/CVE-2025-13672/README.md - Exploit, Third Party Advisory

24 Feb 2026, 15:21

Type	Values Removed	Values Added
Summary		(es) Neutralización Incorrecta de la Entrada Durante la Generación de Páginas Web (XSS o 'cross-site scripting') vulnerabilidad en OpenText™ Web Site Management Server permite XSS Reflejado. La vulnerabilidad podría permitir la inyección de JavaScript malicioso dentro de los parámetros de la URL que luego se renderizaba con la vista previa de la página, de modo que los scripts maliciosos pudieran ejecutarse en el lado del cliente. Este problema afecta a Web Site Management Server: 16.7.0, 16.7.1.
References		() https://github.com/MarioTesoro/vulnerability-research/blob/main/CVE-2025-13672/README.md -

19 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-19 23:16

Updated : 2026-02-27 23:55

NVD link : CVE-2025-13672

Mitre link : CVE-2025-13672

CVE.ORG link : CVE-2025-13672

JSON object : View

Products Affected

opentext

web_site_management_server

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10