CVE-2025-41065

Vulnerability

Overview CVE-2025-41065 is a stored cross-site scripting (XSS) vulnerability in LUNA software version 7.5.5.6, a digital asset management platform used by museums, libraries, and cultural institutions. The root cause is improper sanitization of user input in the 'Edit Batch Name' function. An attacker with low-privilege access can inject a malicious payload that is stored by the application and later displayed to other users without proper escaping [1].

Exploitation

To exploit this vulnerability, an attacker must have authenticated access to the LUNA application (privilege level required: low). The attack vector is network-based, and user interaction is required (the victim must view the affected batch name). The attacker injects JavaScript code into the batch name field; when other users access the batch, the script executes in their browser context [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can be used to steal sensitive data such as session cookies, enabling session hijacking, or to perform actions on behalf of the victim user. The CVSS v4.0 base score is 5.1 (Medium), with the vector AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N, indicating low confidentiality and integrity impact to the scope [1].

Mitigation

As of the publication date (2026-02-03), no official solution or patch has been reported by Luna Imaging, Inc. Users are advised to apply input validation and output encoding as a workaround, and to monitor vendor updates for a fix [1].