CVE-2025-36748

Stored Cross-Site Scripting (XSS) vulnerability in Growatt ShineLan-X

CVE CVE-2025-36748
Title Stored Cross-Site Scripting (XSS) vulnerability in Growatt ShineLan-X
Credits
Affected products
Product Affected Unaffected Unknown
Growatt ShineLan-X >= 3.6.0.0 to < 3.6.0.2 (semver)
everything else
CVSS
Base score 8.4 - HIGH
Attack Vector NETWORK
Attack Complexity> LOW
Attack Requirements NONE
Privileges Required LOW
Confidentiality Impact
Vulnerable system HIGH Subsequent systems HIGH
Integrity Impact
Vulnerable system NONE Subsequent systems HIGH
Availability Impact
Vulnerable system LOW Subsequent systems LOW
Safety impact NOT_DEFINED
Automatable NOT_DEFINED
Recovery NOT_DEFINED
Value Density NOT_DEFINED
Vulnerability Response effort NOT_DEFINED
Provider Urgency NOT_DEFINED
References https://csirt.divd.nl/CVE-2025-36748/ ( third-party-advisory )
Problem type(s) CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Impact(s) CAPEC-441 Malicious Logic Insertion
Date published
Last modified

Description

ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code.

JSON version.