Unrated severityNVD Advisory· Published Nov 26, 2025· Updated Nov 26, 2025

Stored Cross-Site Scripting via XML Injection

CVE-2025-66258

Description

Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml. User-controlled filenames are directly concatenated into patchlist.xml without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., .bin). The XSS executes when ajax.js processes and renders the XML file.

Affected products

DB Electronica Telecomunicazioni S.p.A./Mozart FM Transmitterllm-fuzzy
Range: 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000
DB Electronica Telecomunicazioni S.p.A./Mozart FM Transmitterv5
Range: 30

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.abdulmhsblog.com/posts/webfmvulns/mitreexploittechnical-description

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000