CVE-2025-50978

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-50978
In Gitblit v1.7.1, a reflected cross-site scripting (XSS) vulnerability exists in the way repository path names are handled. By injecting a specially crafted path payload an attacker can cause arbitrary JavaScript to execute when a victim views the manipulated URL. This flaw stems from insufficient input sanitization of filename elements.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/4rdr/proofs/blob/main/info/gitblit-v1.7.1-reflected-XSS-via-filenames.md Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:gitblit:gitblit:1.7.1:*:*:*:*:*:*:*
History

09 Sep 2025, 18:52

Type Values Removed Values Added
References () https://github.com/4rdr/proofs/blob/main/info/gitblit-v1.7.1-reflected-XSS-via-filenames.md - () https://github.com/4rdr/proofs/blob/main/info/gitblit-v1.7.1-reflected-XSS-via-filenames.md - Exploit, Third Party Advisory
CPE cpe:2.3:a:gitblit:gitblit:1.7.1:*:*:*:*:*:*:*
First Time Gitblit
Gitblit gitblit

29 Aug 2025, 16:24

Type Values Removed Values Added
Summary
  • (es) En Gitblit v1.7.1, existe una vulnerabilidad Cross Site Scripting (XSS) reflejado en la gestión de los nombres de ruta del repositorio. Al inyectar una payload de ruta especialmente manipulada, un atacante puede provocar la ejecución de código JavaScript arbitrario cuando la víctima accede a la URL manipulada. Esta falla se debe a una depuración insuficiente de los elementos de nombre de archivo en la entrada.

27 Aug 2025, 17:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.1
CWE CWE-79

27 Aug 2025, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-27 16:15

Updated : 2025-09-09 18:52

NVD link : CVE-2025-50978

Mitre link : CVE-2025-50978

CVE.ORG link : CVE-2025-50978

JSON object : View

Products Affected

gitblit

  • gitblit
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')