CVE-2025-65187
6.1
MEDIUM
CVSS 3.1
EPSS 0.03%
Description
A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed.
How to fix CVE-2025-65187
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- Debian/civicrm—no fix listed
Is CVE-2025-65187 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |