CVE-2025-11687
Unknown Unknown - Not Provided
Reflected DOM XSS in gi-docgen Enables Session Cookie Theft

Publication date: 2026-01-26

Last updated on: 2026-01-26

Assigner: Red Hat, Inc.

Description
A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page β€” enabling DOM access, session cookie theft and other client-side attacks β€” via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-26
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-14
NVD
CVE-2025-11687
EUVD
EUVD-2025-206336
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor gi-docgen *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a reflected DOM Cross-Site Scripting (XSS) flaw in gi-docgen. It occurs because gi-docgen does not properly encode search terms before inserting them into the HTML page. An attacker can craft a malicious URL that includes harmful JavaScript code in the 'q' GET parameter, which then executes in the user's browser when the URL is visited. This allows arbitrary JavaScript execution in the context of the page. [1]

Impact Analysis

The vulnerability can lead to arbitrary JavaScript execution in the user's browser, enabling attacks such as DOM manipulation, session cookie theft, and other client-side exploits. The severity depends on what else is hosted on the same domain as the gi-docgen documentation. If only gi-docgen docs are hosted with no sensitive content, the impact is likely minimal. However, if sensitive data or functionality is present on the domain, the risk and impact increase. [1]

Detection Guidance

Detection of this vulnerability involves testing for reflected DOM XSS by crafting URLs with malicious payloads in the 'q' GET parameter and observing if the script executes in the browser context. There are no specific commands provided in the resources. A practical approach is to use a web proxy or browser developer tools to intercept and modify requests to gi-docgen, injecting test scripts in the 'q' parameter to see if they are executed. Automated scanners that detect reflected XSS vulnerabilities can also be used against the gi-docgen documentation URLs. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the gi-docgen documentation to trusted users only, avoiding hosting sensitive content on the same domain as gi-docgen, and applying any available patches or updates from the gi-docgen maintainers or Red Hat once released. Additionally, users should avoid clicking on untrusted URLs containing the 'q' parameter. Since no specific patch or workaround is detailed, limiting exposure and monitoring for suspicious activity are recommended. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11687. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart