CVE-2025-36750

Stored cross site scripting (XSS) vulnerability in Growatt ShineLan-X

CVE

CVE-2025-36750

Title

Stored cross site scripting (XSS) vulnerability in Growatt ShineLan-X

Credits

Hamid Rahmouni (finder)
Victor Pasman (analyst)

Affected products

Product	Affected	Unaffected	Unknown
Growatt ShineLan-X	>= 3.6.0.0 to < 3.6.0.2 (semver)
Growatt ShineLan-X		everything else

CVSS

Base score	8.5 - HIGH
Attack Vector	NETWORK
Attack Complexity>	LOW
Attack Requirements	NONE
Privileges Required	LOW
Confidentiality Impact
Vulnerable system	HIGH	Subsequent systems	HIGH
Integrity Impact
Vulnerable system	NONE	Subsequent systems	HIGH
Availability Impact
Vulnerable system	LOW	Subsequent systems	HIGH
Safety impact	NOT_DEFINED
Automatable	NOT_DEFINED
Recovery	NOT_DEFINED
Value Density	NOT_DEFINED
Vulnerability Response effort	NOT_DEFINED
Provider Urgency	NOT_DEFINED

References

https://csirt.divd.nl/CVE-2025-36750/ ( third-party-advisory )

Problem type(s)

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Impact(s)

CAPEC-441 Malicious Logic Insertion

Date published

Last modified

Description

ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the Plant Name field. A HTML payload will be displayed on the plant management page via a direct post. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code.

JSON version.

DIVD CSIRT

CVE-2025-36750

Stored cross site scripting (XSS) vulnerability in Growatt ShineLan-X

Description