What is the severity of CVE-2025-27406?

CVE-2025-27406 is classified as a medium severity vulnerability due to its potential to execute arbitrary JavaScript through template setups.

How do I fix CVE-2025-27406?

To fix CVE-2025-27406, upgrade Icinga Reporting to version 1.0.3 or later.

What versions are affected by CVE-2025-27406?

CVE-2025-27406 affects Icinga Reporting versions from 0.10.0 to 1.0.2.

What is the nature of the vulnerability in CVE-2025-27406?

The vulnerability in CVE-2025-27406 allows for the embedding of arbitrary JavaScript due to improper template handling.

Is there a workaround for CVE-2025-27406 before upgrading?

There are no known workarounds for CVE-2025-27406, and upgrading is recommended to mitigate the risk.

Vulnerability/
CVE-2025-27406

high

7.7

CWE

79 918

EPSS

0.039%

26/3/2025

27/3/2025

CVE-2025-27406: Icinga Reporting Stored XSS leads to SSRF

First published: Wed Mar 26 2025(Updated: )

Icinga Reporting is the central component for reporting related functionality in the monitoring web frontend and framework Icinga Web 2. A vulnerability present in versions 0.10.0 through 1.0.2 allows to set up a template that allows to embed arbitrary Javascript. This enables the attacker to act on behalf of the user, if the template is being previewed; and act on behalf of the headless browser, if a report using the template is printed to PDF. This issue has been resolved in version 1.0.3 of Icinga Reporting. As a workaround, review all templates and remove suspicious settings.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Icinga Reporting	>=0.10.0<1.0.3

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-27406?
CVE-2025-27406 is classified as a medium severity vulnerability due to its potential to execute arbitrary JavaScript through template setups.
How do I fix CVE-2025-27406?
To fix CVE-2025-27406, upgrade Icinga Reporting to version 1.0.3 or later.
What versions are affected by CVE-2025-27406?
CVE-2025-27406 affects Icinga Reporting versions from 0.10.0 to 1.0.2.
What is the nature of the vulnerability in CVE-2025-27406?
The vulnerability in CVE-2025-27406 allows for the embedding of arbitrary JavaScript due to improper template handling.
Is there a workaround for CVE-2025-27406 before upgrading?
There are no known workarounds for CVE-2025-27406, and upgrading is recommended to mitigate the risk.

collector/mitre-cve
source/MITRE
agent/title
agent/references
agent/description
agent/first-publish-date
agent/weakness
agent/type
agent/event
agent/severity
agent/author
agent/guess-ai
agent/software-canonical-lookup
agent/softwarecombine
collector/epss-latest
source/FIRST
collector/nvd-api
source/NVD
agent/source
agent/epss
agent/tags
agent/last-modified-date
vendor/icinga
canonical/icinga reporting

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.