Description
Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. It affects
'host' parameter in '/diagconnect.php'

endpoint.
Published: 2026-03-31
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side script execution via reflected XSS
Action: Apply patch
AI Analysis

Impact

The vulnerability is a reflected Cross‑Site Scripting flaw located in the host parameter of the \/diagconnect.php endpoint in Anon Proxy Server 0.104. An attacker can embed malicious JavaScript within a URL that, when opened by a user, is echoed back by the server and executed in the victim’s browser. This can lead to theft of session cookies, execution of arbitrary client‑side actions, and other typical XSS‑related damage. The weakness falls under CWE‑79, which denotes improper neutralization of user input that leads to cross‑site scripting.

Affected Systems

The affected product is Anon Proxy Server, version 0.104. No other versions are listed as vulnerable in the current data.

Risk and Exploitability

The CVSS score of 5.1 places the vulnerability in the medium severity range. The EPSS score is less than 1%, suggesting that exploitation is currently unlikely to be widespread. The vulnerability is not listed in the CISA KEV catalog, indicating no known active exploitation. Exploitability requires a user to be tricked into clicking a crafted link or otherwise visiting a URL containing a malicious host parameter, so it is limited to client‑side attacks without privilege escalation or server compromise.

Generated by OpenCVE AI on April 7, 2026 at 23:10 UTC.

Remediation

Vendor Solution

Update the producto to the lastest version.

OpenCVE Recommended Actions

  • Update Anon Proxy Server to the latest version, which removes the vulnerable code.
  • If an update is not immediately possible, validate and escape all user input for the host parameter in /diagconnect.php to prevent reflected script execution.
  • Employ web application firewall rules to block requests containing suspicious or malicious JavaScript content.
  • Log and monitor traffic to /diagconnect.php for anomalous host parameter values to detect potential phishing attempts.

Generated by OpenCVE AI on April 7, 2026 at 23:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Anonproxyserver
Anonproxyserver anon Proxy Server
CPEs cpe:2.3:a:anonproxyserver:anon_proxy_server:0.104:*:*:*:*:*:*:*
Vendors & Products Anonproxyserver
Anonproxyserver anon Proxy Server
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. It affects 'host' parameter in '/diagconnect.php' endpoint.
Title Reflected Cross-Site Scripting in Anon Proxy Server
First Time appeared Anon Proxy Server
Anon Proxy Server anon Proxy Server
Weaknesses CWE-79
CPEs cpe:2.3:a:anon_proxy_server:anon_proxy_server:0.104:*:*:*:*:*:*:*
Vendors & Products Anon Proxy Server
Anon Proxy Server anon Proxy Server
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Anon Proxy Server Anon Proxy Server
Anonproxyserver Anon Proxy Server
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-31T18:04:20.567Z

Reserved: 2025-04-16T09:57:04.870Z

Link: CVE-2025-41356

cve-icon Vulnrichment

Updated: 2026-03-31T15:01:50.426Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T09:16:22.347

Modified: 2026-04-07T15:32:42.597

Link: CVE-2025-41356

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:26Z

Weaknesses