CVE-2025-12776
Unknown Unknown - Not Provided
Stored XSS in WebConsole Report Builder Allows Script Execution

Publication date: 2026-01-07

Last updated on: 2026-02-02

Assigner: Commvault

Description
The Report Builder component of the application stores user input directly in a web page and displays it to other users, which raised concerns about a possible Cross-Site Scripting (XSS) attack. Proper management of this functionality helps ensure a secure and seamless user experience. Β Although the user input is not validated in the report creation, these scripts are not executed when the report is run by end users. The script is executed when the report is modified through the report builder by a user with edit permissions. The Report Builder is part of the WebConsole. Β The WebConsole package is currently end of life, and is no longer maintained. We strongly recommend against installing or using it in any production environment. However, if you choose to install it, for example, to access functionality like the Report Builder, it must be deployed within a fully isolated network that has no access to sensitive data or internet connectivity. This is a critical security precaution, as the retired package may contain unpatched vulnerabilities and is no longer supported with updates or fixes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-02-02
Generated
2026-05-07
AI Q&A
2026-01-08
EPSS Evaluated
2026-05-05
NVD
CVE-2025-12776
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
unknown_vendor webconsole *
commvault commvault From 11.36.0 (inc) to 11.36.68 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the Report Builder component of the WebConsole application storing user input directly in a web page and displaying it to other users, which raises concerns about a possible Cross-Site Scripting (XSS) attack. Although the user input is not validated during report creation, the malicious scripts are not executed when the report is run by end users. Instead, the script executes only when the report is modified through the report builder by a user with edit permissions.


How can this vulnerability impact me? :

The vulnerability can allow a user with edit permissions to execute malicious scripts when modifying reports in the Report Builder. This could potentially lead to unauthorized actions or compromise of the editing user's session or data. Since the WebConsole package is end of life and no longer maintained, unpatched vulnerabilities like this pose a security risk, especially if deployed in environments with access to sensitive data or internet connectivity.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, avoid installing or using the WebConsole package, especially the Report Builder component, in any production environment since it is end of life and no longer maintained. If usage is necessary, deploy it only within a fully isolated network that has no access to sensitive data or internet connectivity to reduce risk exposure.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart