N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-65858

GHSA ID

GHSA-pc5g-j9j7-p4q3

EPSS Score

CWE

CWE-79

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-65858

CVE-2025-65858: Calibre-Web Has a Stored Cross-Site Scripting (XSS) Vulnerability via the 'username' Field During User Creation

A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-65858

CVE-2025-65858:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-65858

GHSA ID

GHSA-pc5g-j9j7-p4q3

EPSS Score

CWE

CWE-79

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
calibreweb	pip	<= 0.6.25

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic stored Cross-Site Scripting (XSS) issue. The application fails to properly sanitize the 'username' field when creating or editing a user. The unsanitized input, which can contain malicious JavaScript, is stored in the application's database. The vulnerability is triggered when an administrator views the user list at the /ajax/listusers endpoint. The backend retrieves the user data, including the malicious username, and sends it as part of a JSON response. The frontend JavaScript then dynamically renders this data into the DOM without escaping it, causing the browser to execute the script in the context of the administrator's session. The key vulnerable functions are admin.new_user, admin.edit_user, and admin.edit_list_user for input injection, and admin.list_users for triggering the payload.

Vulnerable functions

admin.new_user

cps/admin.py

The 'new_user' function, through its helper '_handle_new_user', processes the 'name' parameter from the user creation form. This username is passed to 'check_username' which does not perform HTML escaping, and is then stored in the database. This allows for a stored XSS payload to be injected.

admin.edit_user

cps/admin.py

The 'edit_user' function, through its helper '_handle_edit_user', allows for updating a user's information. The 'name' parameter is processed by 'check_username' which is insufficient to prevent XSS, and the result is stored in the database, making it vulnerable to stored XSS.

admin.edit_list_user

cps/admin.py

This function allows for inline editing of user properties in a list. When the 'name' parameter is edited, its new value is passed to 'check_username' and saved. Since 'check_username' does not sanitize for XSS, this is an injection vector.

admin.list_users

cps/admin.py

This function is an API endpoint that returns a JSON object containing user data. This data includes the unsanitized username which, when rendered by the frontend, executes any stored XSS payload. This is the trigger for the stored XSS vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65858: Calibre-Web Has a Stored Cross-Site Scripting (XSS) Vulnerability via the 'username' Field During User Creation

CVE-2025-65858:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-65858: Calibre-Web Has a Stored Cross-Site Scripting (XSS) Vulnerability via the 'username' Field During User Creation

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI