Medium severity4.3NVD Advisory· Published Mar 2, 2025· Updated Apr 15, 2026

CVE-2025-1810

Description

A vulnerability was found in Pixsoft Vivaz 6.0.11. It has been classified as problematic. Affected is an unknown function of the file /servlet?act=login&submit=1&evento=0&pixrnd=0125021817031859360231 of the component Login Endpoint. The manipulation of the argument sistema leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Pixsoft Vivaz 6.0.11 contains a reflected XSS vulnerability in the login endpoint's 'sistema' parameter, allowing remote unauthenticated attackers to inject arbitrary JavaScript.

Vulnerability

Description A reflected cross-site scripting (XSS) vulnerability has been identified in Pixsoft Vivaz versions prior to 6.0.11. The issue affects the login endpoint at /servlet?act=login&submit=1&evento=0&pixrnd=0125021817031859360231&sistema=0. The sistema parameter is not properly sanitized, allowing an attacker to inject arbitrary HTML and JavaScript code into the response page [1][2]. The vendor was contacted but did not respond [1].

Exploitation

This is a reflected XSS vulnerability that can be exploited remotely without authentication. An attacker can craft a malicious URL containing a payload in the sistema parameter, such as "><img%20src%20onerror=alert()>. When a victim clicks on the crafted link, the injected script executes in the context of their browser session on the affected application [2]. The proof-of-concept demonstrates that the injection is successful when the alert box appears [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can be used to steal session cookies, redirect the user to malicious sites, perform actions on behalf of the user, or deface the application page. The attack does not require any authentication, making it easier to target any user who visits the specially crafted link [1][2].

Mitigation

As of the published date, no official patch or vendor advisory has been issued. The vendor did not respond to the disclosure [1]. Organizations running Pixsoft Vivaz versions below 6.0.11 should consider applying input validation and output encoding on the sistema parameter as a workaround, or restrict access to the affected endpoint until a patch is released.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Pixsoft/Vivazllm-create
Range: = 6.0.11

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/yago3008/cves/tree/main/CVE-2025-1810nvd
vuldb.comnvd
vuldb.comnvd
vuldb.comnvd

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v45.3

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.06%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2025-1810

Source code

github.com/yago3008/cves