Platform
php
Component
extplorer
Fixed in
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.16
A cross-site scripting (XSS) vulnerability has been identified in eXtplorer versions 2.1.0 through 2.1.15. This flaw resides within an unknown function of the Filename Handler component, allowing attackers to potentially inject malicious scripts. Successful exploitation could lead to session hijacking or defacement. Applying the provided patch is the recommended solution to address this security concern.
The XSS vulnerability in eXtplorer allows an attacker to inject arbitrary JavaScript code into a user's browser session. This can be exploited to steal cookies, redirect users to malicious websites, or modify the content of the eXtplorer interface. The impact is amplified if the eXtplorer instance is publicly accessible or integrated with other systems, potentially leading to broader data compromise or system takeover. While the CVSS score is LOW, the ease of exploitation and potential for user interaction make it a significant risk, especially in environments with sensitive data or critical functionality.
CVE-2025-13058 was publicly disclosed on 2025-11-12. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. Given the relatively low CVSS score and lack of public exploits, the probability of active exploitation is currently considered low, but ongoing monitoring is recommended.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13058 is to immediately apply the provided patch: 002def70b985f7012586df2c44368845bf405ab3. If patching is not immediately feasible, consider implementing input validation and output encoding on all user-supplied data handled by the Filename Handler. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review eXtplorer's configuration to ensure it adheres to security best practices, such as restricting access to sensitive files and directories. After applying the patch, verify the fix by attempting to inject a simple XSS payload through the Filename Handler and confirming it is properly sanitized.
Apply the patch identified as 002def70b985f7012586df2c44368845bf405ab3 to resolve the XSS vulnerability. It is recommended to update to a version later than 2.1.15 if one is available that includes the fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13058 is a cross-site scripting (XSS) vulnerability affecting eXtplorer versions 2.1.0 through 2.1.15, allowing attackers to inject malicious scripts.
You are affected if you are using eXtplorer versions 2.1.0 to 2.1.15. Upgrade to the patched version immediately.
Apply the patch 002def70b985f7012586df2c44368845bf405ab3. Consider input validation and output encoding as additional measures.
Currently, there are no known public exploits or confirmed active exploitation campaigns for CVE-2025-13058.
Refer to the eXtplorer project's official website or security mailing list for the advisory related to CVE-2025-13058.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.