Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OpenText™ Vertica allows Reflected XSS. 
The vulnerability could lead to Reflected XSS attack of cross-site scripting in Vertica management console application.This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X, from 12.0 through 12.X, from 23.0 through 23.X, from 24.0 through 24.X, from 25.1.0 through 25.1.X.
Published: 2026-03-13
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (Reflected XSS)
Action: Patch
AI Analysis

Impact

The vulnerability originates from improper neutralization of input during web page generation in the OpenText Vertica management console. According to the vendor description, it permits reflected cross‑site scripting (XSS) where an attacker can inject malicious scripts into a response that is returned to a victim’s browser. This could lead to session hijacking, data theft, or unauthorized actions performed in the context of the authenticated user.

Affected Systems

Affected products are OpenText Vertica versions from 10.0 through 10.X, 11.0 through 11.X, 12.0 through 12.X, 23.0 through 23.X, 24.0 through 24.X, and 25.1.0 through 25.1.X.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate risk, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would occur via the management console’s web interface and requires a victim to visit a crafted link or execute code within the console, implying user interaction is necessary. The lack of remote code execution and the requirement for authentication or access to the console limit the overall threat surface, but the impact remains significant for exposed management interfaces.

Generated by OpenCVE AI on March 19, 2026 at 14:37 UTC.

Remediation

Vendor Solution

https://portal.microfocus.com/s/article/KM000045853?language=en_US

OpenCVE Recommended Actions

  • Apply the vendor patch as outlined in the MicroFocus support article at https://portal.microfocus.com/s/article/KM000045853?language=en_US
  • If a patch is not yet available, implement stricter input validation or a web application firewall to block injected scripts on the Vertica management console
  • Restrict access to the Vertica management console to trusted IP ranges or VPN endpoints to reduce exposure

Generated by OpenCVE AI on March 19, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Opentext
Opentext vertica
Vendors & Products Opentext
Opentext vertica

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OpenText™ Vertica allows Reflected XSS.  The vulnerability could lead to Reflected XSS attack of cross-site scripting in Vertica management console application.This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X, from 12.0 through 12.X, from 23.0 through 23.X, from 24.0 through 24.X, from 25.1.0 through 25.1.X.
Title Improper neutralization of input during web page generation vulnerability has been discovered in OpenText™ Vertica.
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U'}

Subscriptions

Opentext Vertica
cve-icon MITRE

Status: PUBLISHED

Assigner: OpenText

Published:

Updated: 2026-03-13T19:33:59.150Z

Reserved: 2025-10-28T21:28:35.834Z

Link: CVE-2025-12454

cve-icon Vulnrichment

Updated: 2026-03-13T19:33:55.414Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:53:47.667

Modified: 2026-03-16T14:54:11.293

Link: CVE-2025-12454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:40:32Z

Weaknesses