Cyber Resilience

CVE-2025-31510

High

Published: 16 January 2026

Published
16 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0002 6.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31510 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Ow2 (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-31510 is a cross-site scripting (XSS) vulnerability, classified as CWE-79, affecting the portal component in LemonLDAP::NG versions before 2.21.0. It enables remote attackers to inject arbitrary web script or HTML into the login page via the "tab" parameter during Choice authentication. The issue carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and was published on 2026-01-16T18:16:07.363.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By supplying a malicious "tab" parameter value, they can inject scripts into the login page viewed by other users, achieving low impacts on confidentiality and integrity due to the changed scope.

Advisories recommend upgrading to LemonLDAP::NG 2.21.0 or later to mitigate the issue. Relevant details appear in the LemonLDAP::NG GitLab issue at https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3341 and the Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/04/msg00017.html.

EU & UK References

Vulnerability details

In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

XSS in public-facing portal directly enables exploitation of the web app (T1190) and arbitrary JavaScript execution in victim browsers (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

Ow2
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted inputs such as the tab parameter before it is rendered in the login page, blocking the CWE-79 XSS injection.

prevent

Requires filtering/encoding of application outputs so that script supplied via the tab parameter cannot execute when the Choice-authentication page is rendered to users.

preventdetect

Can deploy web-application-layer malicious-code filters or signatures that recognize and block reflected XSS payloads targeting the portal login page.

References