CVE-2025-36746

SolarEdge Monitoring Platform contains a XSS upon report deletion

CVE

CVE-2025-36746

Title

SolarEdge Monitoring Platform contains a XSS upon report deletion

Credits

Akram Hamdi (ENCS) (finder)
Victor Pasman (DIVD) (analyst)

Affected products

Product	Affected	Unaffected	Unknown
SolarEdge SolarEdge Monitoring platform (SaaS)	= unkown ()
SolarEdge SolarEdge Monitoring platform (SaaS)			everything else

CVSS

Base score	4.8 - MEDIUM
Attack Vector	NETWORK
Attack Complexity>	LOW
Attack Requirements	NONE
Privileges Required	LOW
Confidentiality Impact
Vulnerable system	LOW	Subsequent systems	LOW
Integrity Impact
Vulnerable system	LOW	Subsequent systems	LOW
Availability Impact
Vulnerable system	NONE	Subsequent systems	LOW
Safety impact	NOT_DEFINED
Automatable	NO
Recovery	NOT_DEFINED
Value Density	DIFFUSE
Vulnerability Response effort	NOT_DEFINED
Provider Urgency	NOT_DEFINED

References

https://csirt.divd.nl/CVE-2025-36746 ( third-party-advisory )
https://csirt.divd.nl/DIVD-2025-00022/ ( third-party-advisory )

Problem type(s)

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Impact(s)

CAPEC-63 Cross-Site Scripting (XSS)

Date published

Last modified

Description

SolarEdge monitoring platform contains a Cross‑Site Scripting (XSS) flaw that allows an authenticated user to inject payloads into report names, which may execute in a victim’s browser during a deletion attempt.

JSON version.

DIVD CSIRT

CVE-2025-36746

SolarEdge Monitoring Platform contains a XSS upon report deletion

Description