{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-57543", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-16T19:10:44.673Z", "dateReserved": "2025-08-17T00:00:00.000Z", "datePublished": "2026-03-16T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-16T15:19:54.672Z"}, "descriptions": [{"lang": "en", "value": "Cross Site scripting vulnerability (XSS) in NetBox 4.3.5 \"comment\" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gist.github.com/MerttTuran/d94acff59816bfd9492d1a738e89ebb4"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://gist.github.com/MerttTuran/d94acff59816bfd9492d1a738e89ebb4", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T19:10:07.803195Z", "id": "CVE-2025-57543", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:10:44.673Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-57543", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T19:10:07.803195Z"}}}], "references": [{"url": "https://gist.github.com/MerttTuran/d94acff59816bfd9492d1a738e89ebb4", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:10:37.239Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://gist.github.com/MerttTuran/d94acff59816bfd9492d1a738e89ebb4"}], "descriptions": [{"lang": "en", "value": "Cross Site scripting vulnerability (XSS) in NetBox 4.3.5 \"comment\" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-16T15:19:54.672Z"}}}, "cveMetadata": {"cveId": "CVE-2025-57543", "state": "PUBLISHED", "dateUpdated": "2026-03-16T19:10:44.673Z", "dateReserved": "2025-08-17T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-16T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netbox:netbox:4.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "0938F464-63D4-4601-8C2F-8F69E7CED8C9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross Site scripting vulnerability (XSS) in NetBox 4.3.5 \"comment\" field on object forms. An attacker can inject arbitrary HTML, which will be rendered in the web UI when viewed by other users. This could potentially lead to user interface redress attacks or be escalated to XSS in certain contexts."}, {"lang": "es", "value": "Vulnerabilidad de scripting entre sitios (XSS) en NetBox 4.3.5 en el campo 'comment' de los formularios de objetos. Un atacante puede inyectar HTML arbitrario, que se renderizar\u00e1 en la interfaz de usuario web cuando sea visto por otros usuarios. Esto podr\u00eda llevar potencialmente a ataques de manipulaci\u00f3n de la interfaz de usuario o ser escalado a XSS en ciertos contextos."}], "id": "CVE-2025-57543", "lastModified": "2026-03-20T13:56:20.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-16T16:16:13.030", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/MerttTuran/d94acff59816bfd9492d1a738e89ebb4"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/MerttTuran/d94acff59816bfd9492d1a738e89ebb4"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.3.5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "netbox", "vendor": "netbox"}], "analysis": {"en": {"generated_at": "2026-03-20T15:29:32.385516+00:00", "value": {"mitigation_remediation": ["Upgrade NetBox to the latest patched release that removes the XSS vulnerability.", "If an upgrade is not immediately possible, apply input sanitization to the comment field to escape HTML tags or strip disallowed content.", "Restrict comment editing privileges to trusted users or roles until a patch is available.", "Monitor the application for unexpected scripts or unexpected DOM modifications that may indicate exploitation."], "summary": {"action": "Apply Patch", "impact": "Cross-Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is NetBox version 4.3.5, as identified by the CPE string cpe:2.3:a:netbox:netbox:4.3.5:*:*:*:*:*:*.*. No additional vendor or product information is provided.", "description_and_impact": "The vulnerability is a Stored Cross\u2011Site Scripting (XSS) flaw in NetBox 4.3.5. Input entered into the \"comment\" field on object forms is not properly sanitized and is rendered as arbitrary HTML in the web UI. This allows an attacker who can inject content into the comment field to display malicious scripts or foreign content to other users, potentially enabling phishing or UI redress attacks. The weakness is identified by CWE-79 (Improper Neutralization of Input During Web Page Generation).", "risk_and_exploitability": "The CVSS score is 6.1, indicating moderate severity. EPSS indicates a low exploitation probability (<1%), and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to submit or edit comments in NetBox, implying authenticator access to object forms. Once a comment is injected, the stored payload is rendered for all users who view the form, permitting a broad attack surface but limited to the web UI context. This risk is moderate and primarily concerns user-based attacks rather than system compromise."}}}}, "created": "2026-03-17T09:55:27.988510+00:00", "title": "Cross\u2011Site Scripting via Comment Field in NetBox 4.3.5", "updated": "2026-03-23T14:01:04.109334+00:00", "vendors": ["netbox", "netbox$PRODUCT$netbox"]}