Platform
java
Component
cachecloud
Fixed in
3.0.1
3.1.1
3.2.1
A cross-site scripting (XSS) vulnerability has been identified in SohuTV CacheCloud versions 3.0 through 3.2.0. This flaw resides within the doUserList function of the UserManageController.java file, allowing attackers to inject malicious scripts. A public exploit is now available, increasing the risk of exploitation. The vulnerability is addressed in version 3.2.1.
Successful exploitation of CVE-2025-15146 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to session hijacking, credential theft, and defacement of the CacheCloud web interface. The public availability of an exploit significantly elevates the risk, as attackers can readily leverage it to compromise vulnerable systems. The impact is amplified if CacheCloud is integrated with other critical systems, potentially enabling lateral movement within the network.
This vulnerability is considered LOW severity according to CVSS. A public proof-of-concept exploit is available, indicating a higher likelihood of exploitation. The vulnerability was reported to the project but has not yet received a response, which could delay further mitigation efforts. The CVE was published on 2025-12-28.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15146 is to upgrade SohuTV CacheCloud to version 3.2.1 or later. If immediate upgrading is not feasible, consider implementing input validation and output encoding on the doUserList endpoint to sanitize user-supplied data. Web application firewalls (WAFs) configured with rules to detect and block XSS payloads can provide an additional layer of defense. Monitor access logs for suspicious activity related to the doUserList endpoint. After upgrading, confirm the fix by attempting to inject a simple XSS payload into the doUserList function and verifying that it is properly sanitized.
Update CacheCloud to a version later than 3.2.0, if available, that fixes the Cross-Site Scripting (XSS) vulnerability. If no patched version is available, review and filter user inputs in the doUserList function of UserManageController.java to prevent malicious code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15146 is a cross-site scripting (XSS) vulnerability affecting SohuTV CacheCloud versions 3.0 through 3.2.0, allowing attackers to inject malicious scripts.
You are affected if you are running SohuTV CacheCloud versions 3.0, 3.1, or 3.2.0. Upgrade to 3.2.1 or later to mitigate the risk.
Upgrade to SohuTV CacheCloud version 3.2.1 or later. Implement input validation and output encoding as a temporary workaround.
Yes, a public proof-of-concept exploit is available, indicating a potential for active exploitation.
Refer to the SohuTV CacheCloud project's official website or repository for the latest advisory regarding CVE-2025-15146.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.