CVE-2025-61994
Description
Cross-site scripting vulnerability exists in GROWI prior to v7.2.10. If a malicious user creates a page containing crafted contents, an arbitrary script may be executed on the web browser of a victim user who accesses the page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored cross-site scripting vulnerability in GROWI prior to v7.2.10 allows attackers to execute arbitrary scripts when a victim views a crafted page.
Vulnerability
CVE-2025-61994 is a stored cross-site scripting (XSS) vulnerability in GROWI, a wiki software, affecting versions prior to v7.2.10. The vulnerability arises from insufficient sanitization of user-created page contents, allowing injection of malicious scripts [1].
Exploitation
An attacker with low privileges (e.g., ability to create pages) can craft a page containing malicious JavaScript. When a victim accesses this page, the script executes in the context of their browser. The victim does not need special privileges; only a normal user viewing the page is required [1][2].
Impact
Successful exploitation can lead to disclosure of information visible to the victim, including pages and user data. If the victim is an administrator, the attacker may access administrative functions and expose sensitive information such as user lists and system configurations [2].
Mitigation
The developer has released GROWI v7.3.0, which fixes the vulnerability. Users are advised to update to this version or later [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.