Medium severity6.1NVD Advisory· Published Jul 31, 2025· Updated Apr 15, 2026

CVE-2025-51569

Description

A cross-site scripting (XSS) vulnerability exists in the LB-Link BL-CPE300M 01.01.02P42U14_06 router's web interface. The /goform/goform_get_cmd_process endpoint fails to sanitize user input in the cmd parameter before reflecting it into a text/html response. This allows unauthenticated attackers to inject arbitrary JavaScript, which is executed in the context of the router's origin when the crafted URL is accessed. The issue requires user interaction to exploit.

Affected products

Lb Link/BL-CPE300Mllm-fuzzy
Range: = 01.01.02P42U14_06

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.lb-link.com/CPE300M-AX300-4G-LTE-Router-pd502775568.htmlnvd
www.zyenra.com/blog/xss-in-lb-link-lb-cpe300m.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000