CVE-2025-50986

Name of the Vulnerable Software and Affected Versions: diskover-web version 2.3.0

Description: The application does not properly sanitize user-supplied input in several configuration fields within the administrative settings interface, leading to stored cross-site scripting (XSS). Specifically, the following parameters are vulnerable: ES HOST, ES INDEXREFRESH, ES PORT, ES SCROLLSIZE, ES TRANSLOGSIZE, ES TRANSLOGSYNCINT, EXCLUDES FILES, FILE TYPES[], INCLUDES DIRS, INCLUDES FILES, and TIMEZONE. Malicious payloads submitted through these parameters are stored and executed when an administrator views or edits the settings page.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.