cvedb.io
CVE-2025-65289
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2025-12-09T17:15:55.727 · Last modified 2026-06-17T09:55:36.543

Summary

A stored Cross site scripting (XSS) vulnerability in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) router allows a remote attacker on the LAN to inject JavaScript into the router's management UI by submitting a malicious hostname. The injected script is stored and later executed in the context of an administrator's browser (for example after DHCP release/renew triggers the interface to display the stored hostname). Because the management interface uses weak/basic authentication and does not properly protect or isolate session material, the XSS can be used to exfiltrate the admin session and perform administrative actions.

Affected products

mercurycom — mr816_firmware

Does this affect you?

Add your gear to cvedb and we'll alert you only when mercurycom ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.