A vulnerability has been discovered in version 4.0.5 of appRain CMF, consisting of an authenticated reflected XSS due to a lack of proper validation of user input, through the 's' parameter in /apprain/developer/debug-log/db.

CVE-2025-41063 is a medium-severity vulnerability identified in version 4.0.5 of the appRain CMF (Content Management Framework). The issue is classified under CWE-79, which pertains to improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS). Specifically, this vulnerability is an authenticated reflected XSS flaw that arises due to insufficient validation and sanitization of user input passed through the 's' parameter in the /apprain/developer/debug-log/db endpoint. Because the vulnerability requires authentication, an attacker must have valid user credentials to exploit it. The reflected XSS allows an attacker to inject malicious scripts that are reflected back to the user, potentially enabling session hijacking, defacement, or redirection to malicious sites. The CVSS v4.0 score is 4.8 (medium), reflecting the network attack vector with low attack complexity, no privileges required beyond authentication, and requiring user interaction. There are no known exploits in the wild at this time, and no patches have been published yet. The vulnerability affects a specific version (4.0.5) of appRain CMF, a framework used for building web applications and content management systems. The lack of proper input validation in a developer debug log interface suggests that the vulnerability could be leveraged by authenticated users with access to developer tools or logs, potentially including internal staff or attackers who have compromised user credentials.

CVE Database V5

Detailed information about CVE-2025-41063: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain

CVE-2025-41063: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain CMF - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-41063: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain CMF

A vulnerability has been discovered in version 4.0.5 of appRain CMF, consisting of an authenticated reflected XSS due to a lack of proper validation of user input, through the 'page' parameter in /apprain/developer/addons.

CVE-2025-41062 is a medium-severity vulnerability identified in version 4.0.5 of the appRain CMF (Content Management Framework). The vulnerability is classified as CWE-79, which corresponds to improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS). Specifically, this is an authenticated reflected XSS vulnerability that arises due to insufficient validation and sanitization of user-supplied input in the 'page' parameter within the /apprain/developer/addons endpoint. Because the vulnerability requires authentication, an attacker must have valid credentials to exploit it. The vulnerability allows an attacker to inject malicious scripts that are reflected back to the user, potentially leading to session hijacking, credential theft, or execution of arbitrary JavaScript in the context of the victim's browser. The CVSS 4.0 base score is 4.8, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required beyond authentication. User interaction is required for the malicious payload to execute, and the vulnerability has a limited scope affecting confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in April 2025 and published in September 2025, with INCIBE as the assigner. Given the nature of the vulnerability, it primarily targets authenticated users of the appRain CMF platform, which is used for web content management and development.

Detailed information about CVE-2025-41062: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain

CVE-2025-41062: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain CMF - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-41062: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain CMF

A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'data[Addon][layouts]' and 'data[Addon][layouts_except]' parameters in /apprain/developer/addons/update/uploadify.

Detailed information about CVE-2025-41061: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain

CVE-2025-41061: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain CMF - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-41061: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain CMF

A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'data[Addon][layouts]' and 'data[Addon][layouts_except]' parameters in /apprain/developer/addons/update/tree.

Detailed information about CVE-2025-41060: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain

CVE-2025-41060: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain CMF - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-41060: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain CMF

A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'data[Addon][layouts]' and 'data[Addon][layouts_except]' parameters in /apprain/developer/addons/update/tablesorter.

Detailed information about CVE-2025-41059: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain

CVE-2025-41059: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain CMF - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-41059: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain CMF

A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'data[FileManager][search]' parameter in  /apprain/admin/filemanager.

Detailed information about CVE-2025-41037: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in appRain appRain