A stored cross-site scripting (XSS) vulnerability exists in the WebAuthn Relying Party field within the Datacenter configuration of Proxmox Virtual Environment (PVE) 8.4. Authenticated users can inject JavaScript code that is later executed in the browsers of users who view the configuration page, enabling client-side attacks.
References
| Link | Resource |
|---|---|
| https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/page-2#post-792010 | Vendor Advisory Issue Tracking |
| https://github.com/khankishiyev-j/bug-bounty/blob/main/proxmox-xss | Exploit Third Party Advisory |
| https://www.youtube.com/watch?v=-wvkN-7oT5U | Broken Link |
| https://github.com/khankishiyev-j/bug-bounty/blob/main/proxmox-xss | Exploit Third Party Advisory |
Configurations
History
17 Sep 2025, 20:11
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/page-2#post-792010 - Vendor Advisory, Issue Tracking | |
| References | () https://github.com/khankishiyev-j/bug-bounty/blob/main/proxmox-xss - Exploit, Third Party Advisory | |
| References | () https://www.youtube.com/watch?v=-wvkN-7oT5U - Broken Link | |
| CPE | cpe:2.3:a:proxmox:virtual_environment:8.4:*:*:*:*:*:*:* | |
| First Time |
Proxmox virtual Environment
Proxmox |
10 Sep 2025, 14:15
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-79 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
| References | () https://github.com/khankishiyev-j/bug-bounty/blob/main/proxmox-xss - |
09 Sep 2025, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-09-09 17:16
Updated : 2025-09-17 20:11
NVD link : CVE-2025-57540
Mitre link : CVE-2025-57540
CVE.ORG link : CVE-2025-57540
JSON object : View
Products Affected
proxmox
- virtual_environment
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')