Unrated severityNVD Advisory· Published Dec 12, 2025· Updated Jan 8, 2026

Software Acquisition Guide Supplier Response Web Tool XSS

CVE-2025-67634

Description

The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user's browser when the user submits the page (clicks 'Next').

Affected products

Cisa/Software Acquisition Guide Toolv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-345-01.jsonmitregovernment-resourcethird-party-advisory
www.cisa.gov/software-acquisition-guide/toolmitreproduct
www.cve.org/CVERecordmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000