CVE-2025-66258 – Stored Cross-Site Scripting via XML Injection

CVE ID : CVE-2025-66258

Published : Nov. 26, 2025, 1:16 a.m. | 14 minutes ago

Description : Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml.
User-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `.bin`). The XSS executes when ajax.js processes and renders the XML file.

Severity: 7.1 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…