VYPR
← All advisories
Low severity2.4NVD Advisory· Published Dec 15, 2025· Updated Apr 29, 2026

CVE-2025-14722

CVE-2025-14722

Description

A vulnerability was determined in vion707 DMadmin up to 3403cafdb42537a648c30bf8cbc8148ec60437d1. This impacts the function Add of the file Admin/Controller/AddonsController.class.php of the component Backend. Executing manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2025-14722: A reflected XSS vulnerability in vion707 DMadmin's AddonsController.class.php allows remote attackers to inject arbitrary web scripts.

Vulnerability

Description

CVE-2025-14722 is a cross-site scripting (XSS) vulnerability found in the vion707 DMadmin project up to commit 3403cafdb42537a648c30bf8cbc8148ec60437d1. The flaw resides in the Add function within Admin/Controller/AddonsController.class.php of the backend component. The root cause is insufficient sanitization of user-supplied input, allowing an attacker to inject malicious scripts. The vendor did not respond to disclosure attempts.

Exploitation

Details

The attack can be carried out remotely without requiring advanced privileges. Since the affected component is part of the backend administrative interface, an attacker would need to trick an authenticated administrator into visiting a crafted URL or interacting with a malicious payload. The exploit has been publicly disclosed, increasing the risk of active use [1].

Impact

Successful exploitation could allow an attacker to execute arbitrary JavaScript in the context of the victim's session. This could lead to session hijacking, defacement, or theft of sensitive data within the administrative panel. The CVSS v3 base score is 2.4 (Low), reflecting the requirement for user interaction and the limited direct impact.

Mitigation

Status

As the project follows a rolling release model, no specific patched version is available. The only mitigation is to avoid using the product or to restrict access to the administrative interface while applying input validation and output encoding manually [1].

References
  1. zzz/CVE-2025-2-2.md at main · DeepMountains/zzz

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1
  • vion707/DMadminllm-create
    Range: <= 3403cafdb42537a648c30bf8cbc8148ec60437d1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.