What is the severity of CVE-2025-40615?

CVE-2025-40615 is considered a critical severity vulnerability due to its ability to execute JavaScript code in users' browsers via reflected cross-site scripting.

How do I fix CVE-2025-40615?

To fix CVE-2025-40615, ensure that all user-input data is properly sanitized and validated, particularly in the "TEXTO" parameter of /api/api_ajustes.php.

What types of attacks can be executed through CVE-2025-40615?

CVE-2025-40615 can allow attackers to perform session hijacking, credential theft, and redirect users to malicious sites.

Which versions of Bookgy are affected by CVE-2025-40615?

CVE-2025-40615 affects all versions of Bookgy that are vulnerable to the reflected cross-site scripting flaw.

How can I mitigate the risks associated with CVE-2025-40615?

To mitigate risks, implement proper content security policies and use frameworks that automatically handle data encoding and sanitization.

Vulnerability/
CVE-2025-40615

medium

5.1

CWE

EPSS

0.047%

29/4/2025

CVE-2025-40615: Reflected Cross-Site Scripting (XSS) vulnerability in Bookgy

First published: Tue Apr 29 2025(Updated: )

Reflected Cross-Site Scripting (XSS) vulnerability in Bookgy. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the "TEXTO" parameter in /api/api_ajustes.php.

Credit: cve-coordination@incibe.es

Affected Software	Affected Version	How to fix
Bookgy

Remedy

The vulnerability has been fixed by the Bookgy team in October 2024 and are no longer exploitable today.

Never miss a vulnerability like this again

Reference Links

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-bookgy

Frequently Asked Questions

What is the severity of CVE-2025-40615?
CVE-2025-40615 is considered a critical severity vulnerability due to its ability to execute JavaScript code in users' browsers via reflected cross-site scripting.
How do I fix CVE-2025-40615?
To fix CVE-2025-40615, ensure that all user-input data is properly sanitized and validated, particularly in the "TEXTO" parameter of /api/api_ajustes.php.
What types of attacks can be executed through CVE-2025-40615?
CVE-2025-40615 can allow attackers to perform session hijacking, credential theft, and redirect users to malicious sites.
Which versions of Bookgy are affected by CVE-2025-40615?
CVE-2025-40615 affects all versions of Bookgy that are vulnerable to the reflected cross-site scripting flaw.
How can I mitigate the risks associated with CVE-2025-40615?
To mitigate risks, implement proper content security policies and use frameworks that automatically handle data encoding and sanitization.

collector/mitre-cve
source/MITRE
agent/weakness
agent/title
agent/references
agent/remedy
agent/type
agent/description
agent/first-publish-date
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/softwarecombine
collector/nvd-api
source/NVD
agent/last-modified-date
agent/author
agent/severity
agent/event
collector/epss-latest
source/FIRST
agent/source
agent/tags
agent/epss
vendor/bookgy
canonical/bookgy

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.