{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-54057", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-07-16T11:09:55.585Z", "datePublished": "2025-11-27T11:47:32.947Z", "dateUpdated": "2026-04-13T15:29:56.169Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache SkyWalking", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "10.2.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Vinh Nguy\u1ec5n Quang (vinhnq4902@gmail.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.</p><p>This issue affects Apache SkyWalking: &lt;= 10.2.0.</p><p>Users are recommended to upgrade to version 10.3.0, which fixes the issue.</p>"}], "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.\n\nThis issue affects Apache SkyWalking: <= 10.2.0.\n\nUsers are recommended to upgrade to version 10.3.0, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-13T13:02:02.249Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/sl2x2tx8y007x0mo746yddx2lvnv9tcr"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache SkyWalking: Stored XSS vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/11/27/1"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/13/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-13T15:29:56.169Z"}}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-11-28T16:37:24.756331Z", "id": "CVE-2025-54057", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T16:38:32.983Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/11/27/1"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/13/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-13T15:29:56.169Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-54057", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-28T16:37:24.756331Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T16:37:54.819Z"}}], "cna": {"title": "Apache SkyWalking: Stored XSS vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Vinh Nguy\u1ec5n Quang (vinhnq4902@gmail.com)"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache SkyWalking", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "10.2.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/sl2x2tx8y007x0mo746yddx2lvnv9tcr", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.\n\nThis issue affects Apache SkyWalking: <= 10.2.0.\n\nUsers are recommended to upgrade to version 10.3.0, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.</p><p>This issue affects Apache SkyWalking: &lt;= 10.2.0.</p><p>Users are recommended to upgrade to version 10.3.0, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-13T13:02:02.249Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54057", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:29:56.169Z", "dateReserved": "2025-07-16T11:09:55.585Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-11-27T11:47:32.947Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:skywalking:*:*:*:*:*:*:*:*", "matchCriteriaId": "802C6A2F-36AC-40A6-AE35-9BD58BFC462A", "versionEndExcluding": "10.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.\n\nThis issue affects Apache SkyWalking: <= 10.2.0.\n\nUsers are recommended to upgrade to version 10.3.0, which fixes the issue."}], "id": "CVE-2025-54057", "lastModified": "2026-04-13T16:16:24.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-11-27T12:15:47.253", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/sl2x2tx8y007x0mo746yddx2lvnv9tcr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2025/11/27/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/13/3"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T16:42:04.377454+00:00", "value": {"mitigation_remediation": ["Upgrade Apache SkyWalking to version 10.3.0 or later", "Sanitize all user\u2011controlled input by escaping or removing script\u2011related tags before storage", "Implement a Content Security Policy that limits the execution of inline scripts"], "summary": {"action": "Immediate Patch", "impact": "Stored XSS"}, "threat_synthesis": {"affected_systems": "Apache Software Foundation\u2019s Apache SkyWalking, versions up to and including 10.2.0, is affected by this stored XSS flaw. Upgrading to version 10.3.0 removes the vulnerability.", "description_and_impact": "Apache SkyWalking is vulnerable to an Improper Neutralization of Script\u2011Related HTML Tags in a Web Page, allowing stored Cross\u2011Site Scripting (XSS). Malicious code can be uploaded, saved, and later rendered in the user interface, enabling an attacker to create defacement pages, steal session cookies, or perform session hijacking. The weakness falls under CWE\u201180 and can compromise the confidentiality and integrity of data viewed by any authenticated or unauthenticated user who loads the impacted page.", "risk_and_exploitability": "The CVSS score of 6.1 classifies the vulnerability as moderate severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely remote, leveraging web input fields that store user data without proper output encoding. While the risk is not exceptionally high, the impact of successful exploitation could undermine session security and user trust."}}}}, "created": "2025-11-28T08:51:20.399222+00:00", "updated": "2026-04-20T16:45:11.955684+00:00", "vendors": ["apache", "apache$PRODUCT$skywalking"]}