N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-11183

GHSA ID

GHSA-gxp8-m5rq-3m38

EPSS Score

0.1288%

CWE

CWE-79

Published

10/13/2025

Updated

10/13/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-11183

CVE-2025-11183: QGIS QWC2 Cross-Site Scripting vulnerability

Cross-Site Scripting vulnerability in attribute table in QGIS QWC2 < 2025.08.14 allows an authorized attacker to plant arbitrary JavaScript code in the page.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-11183

CVE-2025-11183:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-11183

GHSA ID

GHSA-gxp8-m5rq-3m38

EPSS Score

0.1288%

CWE

CWE-79

Published

10/13/2025

Updated

10/13/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
qwc2	npm	< 2025.08.14	2025.08.14

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic Cross-Site Scripting (XSS) issue caused by rendering untrusted data directly into the DOM without proper sanitization. The patch for this vulnerability reveals that the problem was not isolated to a single component but was present across multiple React components in the QWC2 application.

The primary indicator of the vulnerability is the use of dangerouslySetInnerHTML in React, which is explicitly named to warn developers about the risk of XSS. The patch systematically adds DOMPurify.sanitize() to all instances where dangerouslySetInnerHTML is used with potentially user-controllable data. This includes data from layer information, search results, service information, theme descriptions, and map copyright information.

In addition to dangerouslySetInnerHTML, the TextInput component was also found to be vulnerable due to direct manipulation of the innerHTML property of a DOM element. This is another common XSS vector that was addressed in the patch.

The identified vulnerable functions are the render methods of the affected components, as well as specific methods in the TextInput component (setDefaultValue and onChange). These are the functions that would be in the call stack when the vulnerable code is executed and would be the most relevant indicators for a runtime profiler during exploitation.

Vulnerable functions

LayerInfoWindow.render

components/LayerInfoWindow.jsx

The `render` method in `LayerInfoWindow` used `dangerouslySetInnerHTML` to render content that could be controlled by an attacker. The vulnerability is patched by sanitizing the content with `DOMPurify.sanitize` before rendering.

SearchBox.render

components/SearchBox.jsx

The `render` method in `SearchBox` used `dangerouslySetInnerHTML` multiple times to render search results. An attacker could craft a malicious search result that would execute arbitrary JavaScript. The patch sanitizes the `result.text` and `result.layer.abstract` before rendering.

ServiceInfoWindow.render

components/ServiceInfoWindow.jsx

Similar to `LayerInfoWindow`, the `render` method in `ServiceInfoWindow` was vulnerable to XSS via the `content` prop, which was rendered without sanitization using `dangerouslySetInnerHTML`. The patch adds sanitization using `DOMPurify`.

ThemeList.render

components/ThemeList.jsx

The `render` method in `ThemeList` rendered the `item.description` using `dangerouslySetInnerHTML` without sanitization, allowing for XSS if the description contained malicious HTML. The patch sanitizes the description before rendering.

TextInput.setDefaultValue

components/widgets/TextInput.jsx

The `setDefaultValue` method in `TextInput` directly set `this.input.innerHTML` with a value that could be controlled by an attacker. This is a classic XSS vector. The patch sanitizes the value before setting the `innerHTML`.

TextInput.onChange

components/widgets/TextInput.jsx

The `onChange` handler in `TextInput` reads from `ev.target.innerText` and processes it. While `innerText` is generally safer than `innerHTML`, the subsequent processing and usage could still lead to vulnerabilities. The patch proactively sanitizes the value.

MapCopyright.render

plugins/MapCopyright.jsx

The `render` method in `MapCopyright` used `dangerouslySetInnerHTML` to render a `key` which could contain malicious HTML. The patch sanitizes the `key` before rendering.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-11183: QGIS QWC2 Cross-Site Scripting vulnerability

CVE-2025-11183:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

N/A

N/A

CVE-2025-11183: QGIS QWC2 Cross-Site Scripting vulnerability

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI