{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-61190", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T14:54:16.832Z", "dateReserved": "2025-09-26T00:00:00.000Z", "datePublished": "2026-03-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-27T14:30:17.430Z"}, "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in DSpace JSPUI 6.5 within the search/discover filtering functionality. The vulnerability exists due to improper sanitization of user-supplied input via the filter_type_1 parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://dspace.com"}, {"url": "http://lyrasis.com"}, {"url": "https://gist.github.com/MerttTuran/9cf7de549749fe3ef7ce08d65e3540bd"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://gist.github.com/MerttTuran/9cf7de549749fe3ef7ce08d65e3540bd", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T14:49:32.062186Z", "id": "CVE-2025-61190", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:54:16.832Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-61190", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T14:49:32.062186Z"}}}], "references": [{"url": "https://gist.github.com/MerttTuran/9cf7de549749fe3ef7ce08d65e3540bd", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:50:27.122Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://dspace.com"}, {"url": "http://lyrasis.com"}, {"url": "https://gist.github.com/MerttTuran/9cf7de549749fe3ef7ce08d65e3540bd"}], "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in DSpace JSPUI 6.5 within the search/discover filtering functionality. The vulnerability exists due to improper sanitization of user-supplied input via the filter_type_1 parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-27T14:30:17.430Z"}}}, "cveMetadata": {"cveId": "CVE-2025-61190", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:54:16.832Z", "dateReserved": "2025-09-26T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-27T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in DSpace JSPUI 6.5 within the search/discover filtering functionality. The vulnerability exists due to improper sanitization of user-supplied input via the filter_type_1 parameter."}], "id": "CVE-2025-61190", "lastModified": "2026-03-30T15:16:24.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-27T15:16:45.750", "references": [{"source": "cve@mitre.org", "url": "http://dspace.com"}, {"source": "cve@mitre.org", "url": "http://lyrasis.com"}, {"source": "cve@mitre.org", "url": "https://gist.github.com/MerttTuran/9cf7de549749fe3ef7ce08d65e3540bd"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://gist.github.com/MerttTuran/9cf7de549749fe3ef7ce08d65e3540bd"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.5"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "jspui", "vendor": "dspace"}], "analysis": {"en": {"generated_at": "2026-03-27T15:35:22.958891+00:00", "value": {"mitigation_remediation": ["Check the DSpace project website or support channel for a patch or update to JSPUI 6.5", "Apply the latest available DSpace JSPUI release and verify that the filter_type_1 parameter is sanitized"], "summary": {"action": "Apply Fix", "impact": "Cross\u2011Site Scripting (Reflected)"}, "threat_synthesis": {"affected_systems": "The affected product is DSpace JSPUI version\u202f6.5. No other vendor or product variants are listed. Users running this version of the JSP user interface should review the impact on their installations.", "description_and_impact": "A reflected cross\u2011site scripting flaw allows an attacker to inject malicious script into the response returned by DSpace JSPUI 6.5 when a user submits a specially crafted search query. The vulnerability arises from the lack of proper sanitization of the filter_type_1 parameter, causing any input containing script code to be rendered by the browser and executed in the context of the authenticated or non\u2011authenticated user\u2019s session. This could enable attackers to steal session cookies, perform account takeover, or deface the application.", "risk_and_exploitability": "The vulnerability is of moderate to high risk because it is easily triggerable via a URL and does not require privileged access. While no CVSS score or EPSS value is supplied, the existence of a reflected XSS suggests a potential for widespread exploitation through phishing or compromised search queries. The flaw is not listed in the CISA KEV catalog, indicating no confirmed exploitation yet, but the risk remains inherent to the vulnerability\u2019s nature. Potential attackers could simply craft a malicious link to a DSpace search page containing a forbidden filter_type_1 value and distribute it to users. Given the lack of an official patch, the risk persists until mitigation steps are applied."}}}}, "created": "2026-03-27T15:47:17.006326+00:00", "updated": "2026-03-30T08:00:20.849158+00:00", "vendors": ["dspace", "dspace$PRODUCT$jspui"]}