Description
Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server
v0.104. This vulnerability allows an attacker to execute JavaScript code
in the victim's browser by sending him/her a malicious URL. This
vulnerability can be exploited to steal sensitive user data, such as
session cookies, or to perform actions on behalf of the user. It affects
'port' and 'proxyPort' parameters in '/anon.php' endpoint.
Published: 2026-03-31
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Immediate Patch
AI Analysis

Impact

A reflected Cross‑Site Scripting vulnerability exists in Anon Proxy Server v0.104. An attacker can embed malicious JavaScript in a URL that targets the 'port' or 'proxyPort' parameters in the /anon.php endpoint. When a user opens the crafted link, the script runs in their browser, allowing the attacker to steal session cookies or trigger actions on behalf of the user. This type of client‑side injection can compromise user confidentiality and establish persistence in a session.

Affected Systems

The affected product is Anon Proxy Server provided by the vendor Anon Proxy Server. Only version 0.104 is listed as vulnerable. Users running this specific release, which accepts 'port' and 'proxyPort' parameters on the /anon.php endpoint, are at risk.

Risk and Exploitability

The CVSS base score is 5.1, indicating a moderate risk, and the EPSS score is below 1 %, suggesting low probability of exploitation in the near term. The vulnerability is not currently in the CISA KEV catalog. Exploitation requires an end‑user to visit a malicious URL, so the attack vector is indirect but feasible through phishing or compromised sites. If executed, it could expose session credentials and allow malicious actions without elevated privileges.

Generated by OpenCVE AI on April 7, 2026 at 23:11 UTC.

Remediation

Vendor Solution

Update to the lastest versión of the software.

OpenCVE Recommended Actions

  • Update to the latest version of Anon Proxy Server

Generated by OpenCVE AI on April 7, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Anonproxyserver
Anonproxyserver anon Proxy Server
CPEs cpe:2.3:a:anonproxyserver:anon_proxy_server:0.104:*:*:*:*:*:*:*
Vendors & Products Anonproxyserver
Anonproxyserver anon Proxy Server
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. It affects 'port' and 'proxyPort' parameters in '/anon.php' endpoint.
Title Reflected Cross-Site Scripting on Anon Proxy Server
First Time appeared Anon Proxy Server
Anon Proxy Server anon Proxy Server
Weaknesses CWE-79
CPEs cpe:2.3:a:anon_proxy_server:anon_proxy_server:0.104:*:*:*:*:*:*:*
Vendors & Products Anon Proxy Server
Anon Proxy Server anon Proxy Server
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Anon Proxy Server Anon Proxy Server
Anonproxyserver Anon Proxy Server
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-31T18:04:32.025Z

Reserved: 2025-04-16T09:57:04.869Z

Link: CVE-2025-41355

cve-icon Vulnrichment

Updated: 2026-03-31T15:02:50.941Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T09:16:22.137

Modified: 2026-04-07T15:32:32.443

Link: CVE-2025-41355

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:27Z

Weaknesses