CVE-2025-60249

Name of the Vulnerable Software and Affected Versions vulnerability-lookup version 2.16.0

Description A cross-site scripting (XSS) issue exists in the handling of user-supplied input within the Bundles, Comments, and Sightings components of the software. Untrusted data was not properly sanitized before being rendered, potentially allowing attackers to inject arbitrary JavaScript into the application. The root cause was the unsafe use of innerHTML and insufficient validation of dynamic URLs and model fields. The affected files include bundle.py, comment.py, and user.py. An attacker who can add bundles, comments, or sightings to a vulnerability-lookup instance can exploit this issue.

Recommendations Update to a newer version that contains a fix for this vulnerability.