What is the severity of CVE-2025-40616?

CVE-2025-40616 is categorized as a high-severity vulnerability due to its ability to execute arbitrary JavaScript in a user's browser.

How do I fix CVE-2025-40616?

To mitigate CVE-2025-40616, validate and sanitize all user inputs to prevent injection of malicious scripts.

What type of vulnerability is CVE-2025-40616?

CVE-2025-40616 is a reflected cross-site scripting (XSS) vulnerability.

Where does CVE-2025-40616 occur?

CVE-2025-40616 occurs in the Bookgy application, specifically through the 'IDRESERVA' parameter in the /bkg_imprimir_comprobante.php endpoint.

Can CVE-2025-40616 affect my website?

Yes, if your website uses the vulnerable version of Bookgy and allows unsanitized inputs, it can be exploited through CVE-2025-40616.

Vulnerability/
CVE-2025-40616

medium

5.1

CWE

EPSS

0.047%

29/4/2025

CVE-2025-40616: Reflected Cross-Site Scripting (XSS) vulnerability in Bookgy

First published: Tue Apr 29 2025(Updated: )

Reflected Cross-Site Scripting (XSS) vulnerability in Bookgy. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the "IDRESERVA" parameter in /bkg_imprimir_comprobante.php.

Credit: cve-coordination@incibe.es

Affected Software	Affected Version	How to fix
Bookgy

Remedy

The vulnerability has been fixed by the Bookgy team in October 2024 and are no longer exploitable today.

Never miss a vulnerability like this again

Reference Links

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-bookgy

Frequently Asked Questions

What is the severity of CVE-2025-40616?
CVE-2025-40616 is categorized as a high-severity vulnerability due to its ability to execute arbitrary JavaScript in a user's browser.
How do I fix CVE-2025-40616?
To mitigate CVE-2025-40616, validate and sanitize all user inputs to prevent injection of malicious scripts.
What type of vulnerability is CVE-2025-40616?
CVE-2025-40616 is a reflected cross-site scripting (XSS) vulnerability.
Where does CVE-2025-40616 occur?
CVE-2025-40616 occurs in the Bookgy application, specifically through the 'IDRESERVA' parameter in the /bkg_imprimir_comprobante.php endpoint.
Can CVE-2025-40616 affect my website?
Yes, if your website uses the vulnerable version of Bookgy and allows unsanitized inputs, it can be exploited through CVE-2025-40616.

collector/mitre-cve
source/MITRE
agent/weakness
agent/title
agent/references
agent/remedy
agent/type
agent/description
agent/first-publish-date
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/softwarecombine
collector/nvd-api
source/NVD
agent/last-modified-date
agent/author
agent/severity
agent/event
collector/epss-latest
source/FIRST
agent/source
agent/tags
agent/epss
vendor/bookgy
canonical/bookgy

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.