{"id":"CVE-2025-51487","details":"A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version \u003c 3.12.5, allowing to execute arbitrary JavaScript by using \"javascript:\" payload, instead of the expected HTTPS protocol, in the CutCode Link parameter when creating/updating a new Article.","aliases":["GHSA-p632-58pp-c9xg"],"modified":"2026-04-10T05:32:35.765782Z","published":"2025-08-19T15:15:28.457Z","references":[{"type":"PACKAGE","url":"https://github.com/moonshine-software/moonshine"},{"type":"EVIDENCE","url":"https://github.com/GiacoLenzo2109/MoonShine_Software_PoCs"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/moonshine-software/moonshine","events":[{"introduced":"0"},{"fixed":"7102fb113627870fb1cb7176e1d0d95bb47a7fd4"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.12.5"}]}}],"versions":["1.0.0","1.1.0","1.10.0","1.11.0","1.12.0","1.13.0","1.14.0","1.14.1","1.15.1","1.15.2","1.15.3","1.16.0","1.17.0","1.17.1","1.18.0","1.19.0","1.19.1","1.2.0","1.2.1","1.2.2","1.20.0","1.20.1","1.21.0","1.21.2","1.22.0","1.22.1","1.23.0","1.23.1","1.23.2","1.24.0","1.25.0","1.25.1","1.25.2","1.25.3","1.25.4","1.25.5","1.25.6","1.25.7","1.25.8","1.26.0","1.26.1","1.27.0","1.27.1","1.27.3","1.28.0","1.3.0","1.4.0","1.5.0","1.5.1","1.5.2","1.5.4","1.5.5","1.50.0","1.50.0-rc1","1.50.0-rc2","1.50.0-rc4","1.50.2","1.50.4","1.51.0","1.51.1","1.51.2","1.51.3","1.52.0","1.52.2","1.52.3","1.52.4","1.52.5","1.53.0","1.53.2","1.53.3","1.54.0","1.55.0","1.55.1","1.55.2","1.56.0","1.56.0-rc1","1.56.0-rc2","1.57.0","1.57.1","1.57.2","1.57.3","1.57.4","1.58.0","1.58.0-rc1","1.58.0-rc2","1.58.1","1.58.2","1.59.0","1.59.0-rc1","1.59.1","1.59.2","1.59.3","1.59.4","1.6.0","1.6.1","1.6.2","1.60.0","1.60.1","1.60.2","1.60.3","1.60.4","1.60.5","1.61.0","1.61.1","1.7.0","1.7.1","1.7.2","1.7.3","1.7.4","1.8.0","1.8.1","1.9.0","1.9.1","1.9.2","1.9.3","1.9.4","2.0.0","2.0.0-alpha.1","2.0.0-alpha.2","2.0.0-alpha.3","2.0.0-beta.1","2.0.0-beta.2","2.0.0-rc.1","2.0.0-rc.3","2.1.0","2.10.0","2.2.0","2.2.1","2.2.2","2.3.0","2.4.0","2.4.1","2.4.2","2.4.3","2.5.0","2.5.1","2.5.2","2.6.0","2.6.1","2.6.2","2.6.3","2.6.6","2.6.7","2.6.8","2.6.9","2.7.0","2.7.1","2.7.2","2.7.3","2.7.4","2.7.5","2.8.0","2.8.1","2.9.0","2.9.1","2.9.3","2.9.4","2.9.5","3.0.0","3.0.0-alpha","3.0.0-beta.1","3.0.0-beta.2","3.0.0-rc.1","3.0.1","3.0.2","3.0.3","3.0.4","3.0.5","3.1.0","3.1.1","3.1.2","3.1.4","3.10.0","3.10.1","3.10.2","3.10.3","3.11.0","3.11.0-rc1","3.12.0","3.12.1","3.12.2","3.12.4","3.2.0","3.2.1","3.2.2","3.2.3","3.3.0","3.3.1","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3.7","3.4.0","3.4.1","3.4.2","3.4.3","3.4.4","3.4.6","3.4.7","3.4.8","3.5.0","3.5.0-rc","3.5.0-rc.2","3.5.1","3.6.0","3.6.1","3.6.2","3.6.3","3.7.0","3.7.1","3.7.2","3.7.3","3.7.4","3.7.5","3.7.6","3.7.7","3.8.0","3.8.1","3.8.10","3.8.11","3.8.2","3.8.3","3.8.4","3.8.5","3.8.6","3.8.7","3.8.8","3.8.9","3.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-51487.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"}]}