CVE-2019-25397
IPFire 2.21 Core Update 127 Cross-Site Scripting via hosts.cgi
CVSS Score
6.1
EPSS Score
0.0%
EPSS Percentile
0th
IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. Attackers can submit POST requests with script payloads in the KEY1, IP, HOST, or DOM parameters to execute arbitrary JavaScript in users' browsers.
| CWE | CWE-79 |
| Vendor | ipfire |
| Product | ipfire |
| Published | Feb 18, 2026 |
| Last Updated | Mar 5, 2026 |
Stay Ahead of the Next One
Get instant alerts for ipfire ipfire
Be the first to know when new medium vulnerabilities affecting ipfire ipfire are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
Ipfire / IPFire
IPFire 2.21 - Core Update 127
References
exploit-db.com: https://www.exploit-db.com/exploits/46344 ipfire.org: https://www.ipfire.org downloads.ipfire.org: https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core127/ipfire-2.21.x86_64-full-core127.iso vulncheck.com: https://www.vulncheck.com/advisories/ipfire-core-update-cross-site-scripting-via-hostsc
Credits
Ozer Goker