Home

Description

Reflected Cross-Site Scripting (rXSS) in krpano before version 1.23.2 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the victim's browser via a crafted URL to the passQueryParameters function with the xml parameter enabled.

PUBLISHED Reserved 2025-11-18 | Published 2025-11-29 | Updated 2025-11-29 | Assigner mitre

References

krpano.com/docu/releasenotes/?version=1.23.3

krpano.com/...23-3d-gaussian-splatting-support/&postID=96997

cve.org (CVE-2025-65892)

nvd.nist.gov (CVE-2025-65892)

Download JSON