cvedb.io
CVE-2025-50986
MEDIUM · CVSS 5.6
EPSS exploitation probability: 0%
Published 2025-08-27T15:15:38.647 · Last modified 2026-06-17T09:35:29.773

Summary

diskover-web v2.3.0 Community Edition suffers from multiple stored cross-site scripting (XSS) vulnerabilities in its administrative settings interface. Various configuration fields such as ES_HOST, ES_INDEXREFRESH, ES_PORT, ES_SCROLLSIZE, ES_TRANSLOGSIZE, ES_TRANSLOGSYNCINT, EXCLUDES_FILES, FILE_TYPES[], INCLUDES_DIRS, INCLUDES_FILES, and TIMEZONE do not properly sanitize user-supplied input. Malicious payloads submitted via these parameters are persisted in the application and executed whenever an administrator views or edits the settings page.

Affected products

diskoverdata — diskover

Does this affect you?

Add your gear to cvedb and we'll alert you only when diskoverdata ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.