CVE-2025-51569

Name of the Vulnerable Software and Affected Versions LB-Link BL-CPE300M version 01.01.02P42U14 06

Description A cross-site scripting (XSS) vulnerability exists in the web interface of the router. The /goform/goform get cmd process API endpoint fails to sanitize user input in the cmd parameter before reflecting it into a text/html response. This allows unauthenticated attackers to inject arbitrary JavaScript, which is executed in the context of the router's origin when a crafted URL is accessed. The issue requires user interaction to exploit.

Recommendations Ensure proper input sanitization is implemented for the cmd parameter in the /goform/goform get cmd process endpoint.