Description
Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
It affects 'host' parameter in '/diagdns.php' endpoint.
Published: 2026-03-31
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting allowing attacker to run JavaScript in the victim’s browser, enabling cookie theft or malicious actions
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a reflected cross‑site scripting flaw in the Anon Proxy Server 0.104. An attacker can send a malicious URL containing a crafted host parameter to the /diagdns.php endpoint. When a victim opens that URL, the server returns the host value unescaped, causing the browser to execute the embedded JavaScript. The attacker can then steal session cookies, read sensitive data, or perform actions on the victim’s behalf.

Affected Systems

Affected products are the Anon Proxy Server from the vendor of the same name. The specific vulnerable release is version 0.104. Any deployments using this version are at risk, while newer releases are not mentioned as affected.

Risk and Exploitability

The CVSS score of 5.1 classifies the impact as moderate. The EPSS score is below 1 %, indicating a low likelihood of exploitation, and the issue is not listed in the CISA KEV catalog. The flaw is exploitable remotely via an HTTP request to a user‑supplied parameter, so an attacker only needs to lure a victim into clicking a crafted link.

Generated by OpenCVE AI on April 7, 2026 at 23:10 UTC.

Remediation

Vendor Solution

Update the product to the lastest version.

OpenCVE Recommended Actions

  • Update the Anon Proxy Server to the latest version to eliminate the reflected XSS flaw
  • If an immediate upgrade is not possible, restrict access to the /diagdns.php endpoint or remove the host parameter from the query string
  • Monitor web server logs for unexpected requests containing the host parameter and inspect any resulting client‑side errors

Generated by OpenCVE AI on April 7, 2026 at 23:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Anonproxyserver
Anonproxyserver anon Proxy Server
CPEs cpe:2.3:a:anonproxyserver:anon_proxy_server:0.104:*:*:*:*:*:*:*
Vendors & Products Anonproxyserver
Anonproxyserver anon Proxy Server
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. It affects 'host' parameter in '/diagdns.php' endpoint.
Title Reflected Cross-Site Scripting on Anon Proxy Server
First Time appeared Anon Proxy Server
Anon Proxy Server anon Proxy Server
Weaknesses CWE-79
CPEs cpe:2.3:a:anon_proxy_server:anon_proxy_server:0.104:*:*:*:*:*:*:*
Vendors & Products Anon Proxy Server
Anon Proxy Server anon Proxy Server
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Anon Proxy Server Anon Proxy Server
Anonproxyserver Anon Proxy Server
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-31T18:04:14.348Z

Reserved: 2025-04-16T09:57:04.870Z

Link: CVE-2025-41357

cve-icon Vulnrichment

Updated: 2026-03-31T15:01:07.631Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T09:16:22.520

Modified: 2026-04-07T15:35:30.277

Link: CVE-2025-41357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:25Z

Weaknesses