Medium severity6.1NVD Advisory· Published Nov 29, 2025· Updated Apr 15, 2026

CVE-2025-66036

Description

Retro is an online platform providing items of vintage collections. Prior to version 2.4.7, Retro is vulnerable to a cross-site scripting (XSS) in the input handling component. This issue has been patched in version 2.4.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Retro prior to 2.4.7 has an XSS vulnerability due to improper input sanitization, allowing attackers to inject malicious scripts.

The vulnerability is a Cross-Site Scripting (XSS) flaw in Retro's input handling component, caused by improper sanitization of user-provided input [1]. Attackers can inject malicious JavaScript payloads when users interact with the application [1]. Successful exploitation can lead to session hijacking, credential theft, or execution of arbitrary browser-side scripts [1]. The issue has been patched in version 2.4.7 by implementing proper input sanitization and output encoding [1]. As a temporary workaround, a strict Content Security Policy (CSP) and server-side filtering can be enabled [1].

References

XSS vulnerability in input handling component

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Anjaliavv51/Retro/security/advisories/GHSA-gvv6-p6h6-2vj2nvd

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000