CVE-2025-36558

Name of the Vulnerable Software and Affected Versions KUNBUS PiCtory versions 2.11.1 and earlier

Description The issue allows for cross-site scripting attacks via the sso token used for authentication. If an attacker provides a user with a KUNBUS PiCtory URL containing an HTML script as an sso token, the script will respond to the user and be executed.

Recommendations For KUNBUS PiCtory versions 2.11.1 and earlier, consider disabling the use of the sso token for authentication until a patch is available. Restrict access to URLs that contain HTML scripts as sso token to minimize the risk of exploitation. Avoid using the sso token parameter in affected URLs until the issue is resolved.