CVE-2025-31510 — Cross-site Scripting in Lemonldap NG

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

7.2HIGHNVD

EPSS

0.0%

top 98.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lemonldap-ng Lemonldap NG Debian Lemonldap-ng

Timeline

PublishedJan 16

Description

In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authentication.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.7

Affected Packages2 packages

▶debiandebian/lemonldap-ng< lemonldap-ng 2.16.1+ds-deb12u6 (bookworm)

▶CVEListV5lemonldap-ng/lemonldap_ng2.0.8 — 2.16.5+1

🔴Vulnerability Details

OSV

CVE-2025-31510: In the portal in LemonLDAP::NG before 2↗2026-01-16

▶

GHSA

GHSA-55mm-vp96-5r7h: In the portal in LemonLDAP::NG before 2↗2026-01-16

▶

📋Vendor Advisories

Debian

CVE-2025-31510: lemonldap-ng - In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows ...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-31510 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶