CVE-2025-41065

Stored Cross-Site Scripting (XSS) in LUNA from Luna Imaging

Assigner: INCIBE
Reserved: 16.04.2025 Published: 03.02.2026 Updated: 03.02.2026

Stored Cross-Site Scripting (XSS) vulnerability type in LUNA software v7.5.5.6. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by inyecting a malicious payload through the 'Edit Batch Name' function. THe payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	Low
Attack Complexity	Low	Integrity	None	Integrity	Low
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	Luna Imaging
Product	LUNA
Versions	Default: unaffected Version 7.5.5.6 is affected

Vendor

Luna Imaging

Product

LUNA

Versions

Default: unaffected

Version 7.5.5.6 is affected

Credits

Miguel Segovia Gil finder

References

Problem Types