CVE-2025-59903 - Vulnerability Details - OpenCVE

Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts within SVG files as visual content, which are then stored on the server and executed in the context of any user accessing the compromised resource.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Kubysoft	Kubysoft

No data.

No data.

References

Link	Providers
https://www.spirityenterprise.com/pentest
https://www.spirityenterprise.com/managed-detection-response
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-kubysoft

History

Mon, 16 Feb 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts within SVG files as visual content, which are then stored on the server and executed in the context of any user accessing the compromised resource.
Title		Multiple vulnerabilities in Kubysoft
First Time appeared		Kubysoft Kubysoft kubysoft
Weaknesses		CWE-79
CPEs		cpe:2.3:a:kubysoft:kubysoft:all_versions:::::::*
Vendors & Products		Kubysoft Kubysoft kubysoft
References		https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-kubysoft
Metrics		cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:L/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2026-02-16T09:55:05.096Z

Updated: 2026-02-16T09:55:05.096Z

Reserved: 2025-09-23T10:24:09.538Z

Link: CVE-2025-59903

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-02-16T10:16:06.980

Modified: 2026-02-16T10:16:06.980

Link: CVE-2025-59903

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-59903", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2025-09-23T10:24:09.538Z", "datePublished": "2026-02-16T09:55:05.096Z", "dateUpdated": "2026-02-16T09:55:05.096Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Kubysoft", "vendor": "Kubysoft", "versions": [{"status": "affected", "version": "All versions"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubysoft:kubysoft:all_versions:*:*:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "David Padilla Alvarado"}], "datePublic": "2026-02-16T09:52:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts within SVG files as visual content, which are then stored on the server and executed in the context of any user accessing the compromised resource."}], "value": "Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts within SVG files as visual content, which are then stored on the server and executed in the context of any user accessing the compromised resource."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-02-16T09:55:05.096Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-kubysoft"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vulnerabilities have been fixed by the Kubysoft team in the latest version of the software.<br>"}], "value": "The vulnerabilities have been fixed by the Kubysoft team in the latest version of the software."}], "source": {"discovery": "EXTERNAL"}, "title": "Multiple vulnerabilities in Kubysoft", "x_generator": {"engine": "Vulnogram 0.5.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts within SVG files as visual content, which are then stored on the server and executed in the context of any user accessing the compromised resource."}], "id": "CVE-2025-59903", "lastModified": "2026-02-16T10:16:06.980", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2026-02-16T10:16:06.980", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-kubysoft"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}