{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11687", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-10-13T13:26:57.703Z", "datePublished": "2026-01-26T19:36:28.947Z", "dateUpdated": "2026-01-26T21:02:29.343Z"}, "containers": {"cna": {"title": "Gi-docgen: reflected dom xss in gi-docgen", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page \u2014 enabling DOM access, session cookie theft and other client-side attacks \u2014 via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS)."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "2025.5", "versionType": "semver"}], "packageName": "gi-docgen", "collectionURL": "https://gitlab.gnome.org/GNOME/gi-docgen/", "defaultStatus": "unaffected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-11687", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403536", "name": "RHBZ#2403536", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228"}], "datePublic": "2025-10-03T22:22:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2025-10-13T13:15:37.399Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-10-03T22:22:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-01-26T19:36:28.947Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T21:01:55.875258Z", "id": "CVE-2025-11687", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T21:02:29.343Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11687", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T21:01:55.875258Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T21:02:26.797Z"}}], "cna": {"title": "Gi-docgen: reflected dom xss in gi-docgen", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "2025.5", "versionType": "semver"}], "packageName": "gi-docgen", "collectionURL": "https://gitlab.gnome.org/GNOME/gi-docgen/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-13T13:15:37.399000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-10-03T22:22:00+00:00", "value": "Made public."}], "datePublic": "2025-10-03T22:22:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-11687", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403536", "name": "RHBZ#2403536", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228"}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page \u2014 enabling DOM access, session cookie theft and other client-side attacks \u2014 via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-01-26T19:36:28.947Z"}, "x_redhatCweChain": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}}, "cveMetadata": {"cveId": "CVE-2025-11687", "state": "PUBLISHED", "dateUpdated": "2026-01-26T21:02:29.343Z", "dateReserved": "2025-10-13T13:26:57.703Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-01-26T19:36:28.947Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page \u2014 enabling DOM access, session cookie theft and other client-side attacks \u2014 via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS)."}, {"lang": "es", "value": "Se encontr\u00f3 un defecto en gi-docgen. Esta vulnerabilidad permite la ejecuci\u00f3n arbitraria de JavaScript en el contexto de la p\u00e1gina \u2014 permitiendo el acceso al DOM, el robo de cookies de sesi\u00f3n y otros ataques del lado del cliente \u2014 a trav\u00e9s de una URL manipulada que suministra un valor malicioso al par\u00e1metro GET q (XSS DOM reflejado)."}], "id": "CVE-2025-11687", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-01-26T20:16:07.817", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-11687"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403536"}, {"source": "secalert@redhat.com", "url": "https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{}

{"created": "2026-01-27T09:03:19.809555+00:00", "updated": "2026-01-27T09:03:19.809587+00:00", "vendors": ["gnome", "gnome$PRODUCT$gi-docgen"]}