Base Score

MEDIUM6.9

CVE-2025-11183

Cross-Site Scripting vulnerability in attribute table in QGIS QWC2 <2025.08.14 allows an authorized attacker to plant arbitrary JavaScript code in the page

VectorNETWORK

Published Byvulnerability@ncsc.ch

Published DateOct 13, 2025, 10:15

Affected Versions(1)

qwc2(npm)

Introduced0

Fixed2025.08.14

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
qwc2(npm)	0	2025.08.14	N/A

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

6.9

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:L/U:X

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

PASSIVE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

References

https://hub.ntc.swiss/ntcf-2025-4286

Base Score

MEDIUM6.9

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

6.9

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:L/U:X

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

PASSIVE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)