CVE-2025-59904

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-59904
Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, which is triggered through multiple parameters in the '/kForms/app' endpoint. This issue allows malicious scripts to be injected and executed persistently in the context of users accessing the affected resource.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-kubysoft Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:kubysoft:kubysoft:-:*:*:*:*:*:*:*
History

09 Mar 2026, 20:44

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.4
First Time Kubysoft kubysoft
Kubysoft
CPE cpe:2.3:a:kubysoft:kubysoft:-:*:*:*:*:*:*:*
References () https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-kubysoft - () https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-kubysoft - Third Party Advisory

18 Feb 2026, 17:52

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de cross-site scripting (XSS) almacenado en Kubysoft, que se activa a través de múltiples parámetros en el endpoint '/kForms/app'. Este problema permite que scripts maliciosos sean inyectados y ejecutados de forma persistente en el contexto de los usuarios que acceden al recurso afectado.

16 Feb 2026, 10:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-16 10:16

Updated : 2026-03-09 20:44

NVD link : CVE-2025-59904

Mitre link : CVE-2025-59904

CVE.ORG link : CVE-2025-59904

JSON object : View

Products Affected

kubysoft

  • kubysoft
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')