CVE-2019-25449

Description

OrientDB 3.0.17 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted JSON payloads to the document endpoint. Attackers can send POST requests to /document/demodb/-1:-1 with script tags in the name parameter to execute arbitrary JavaScript in users' browsers.

PUBLISHED Reserved 2026-02-20 | Published 2026-02-20 | Updated 2026-05-24 | Assigner VulnCheck

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Credits

Ozer Goker finder

References

www.exploit-db.com/exploits/46517 (ExploitDB-46517) exploit

orientdb.dev/ (OrientDB Official Website) product

www.vulncheck.com/...ss-site-scripting-via-document-endpoint (VulnCheck Advisory: OrientDB 3.0.17 Reflected Cross-Site Scripting via document endpoint) third-party-advisory

cve.org (CVE-2019-25449)

nvd.nist.gov (CVE-2019-25449)

Download JSON