Cyber Posture

CVE-2025-46410

CriticalPublic PoC

Published: 24 July 2025

Published
24 July 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0018 39.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-46410 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Wwbn Avideo. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the XSS vulnerability by requiring identification, reporting, and correction of the flaw in the managerPlaylists PlaylistOwnerUsersId parameter.

SI-10 Information Input Validation good match
prevent

Prevents arbitrary JavaScript execution by validating and sanitizing inputs to the vulnerable PlaylistOwnerUsersId parameter.

SI-15 Information Output Filtering good match
prevent

Blocks XSS exploitation by filtering and encoding outputs derived from the PlaylistOwnerUsersId parameter before rendering in the browser.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
attack.mitre.org →
Why these techniques?

XSS enables arbitrary JS execution via crafted request and victim visiting malicious page, directly mapping to drive-by compromise.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A cross-site scripting (xss) vulnerability exists in the managerPlaylists PlaylistOwnerUsersId parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit…

more

a webpage to trigger this vulnerability.

Deeper analysisAI

CVE-2025-46410 is a cross-site scripting (XSS) vulnerability in the managerPlaylists PlaylistOwnerUsersId parameter functionality of WWBN AVideo version 14.4 and the dev master commit 8a8954ff. The flaw allows a specially crafted HTTP request to lead to arbitrary JavaScript execution, classified under CWE-79 with a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

The vulnerability can be exploited by an unauthenticated attacker over the network with low complexity, requiring only user interaction such as visiting a malicious webpage. Successful exploitation enables arbitrary JavaScript execution in the context of the victim's browser, potentially resulting in high confidentiality, integrity, and availability impacts due to the cross-origin scope change.

Details on the vulnerability, including technical analysis, are available in the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2205. No specific patch or mitigation information is detailed in the provided references.

Details

CWE(s)
CWE-79

Affected Products

wwbn
avideo
14.4

CVEs Like This One

CVE-2025-50128Same product: Wwbn Avideo
CVE-2026-34375Same product: Wwbn Avideo
CVE-2025-36548Same product: Wwbn Avideo
CVE-2025-41420Same product: Wwbn Avideo
CVE-2025-53084Same product: Wwbn Avideo
CVE-2026-41064Same product: Wwbn Avideo
CVE-2026-33037Same product: Wwbn Avideo
CVE-2026-33648Same product: Wwbn Avideo
CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-34731Same product: Wwbn Avideo

References