CVE-2025-59901
Unknown Unknown - Not Provided

Authenticated Reflected XSS in Disk Pulse Enterprise /monitor_directory Endpoint

Vulnerability report for CVE-2025-59901, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-28

Last updated on: 2026-01-28

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description

Disk Pulse Enterprise v10.4.18 has an authenticated reflected XSS vulnerability in the '/monitor_directory?sid=' endpoint, caused by insufficient validation of the 'monitor_directory' parameter sent by POST. An attacker could exploit this weakness to send malicious content to an authenticated user and steal information from their session.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-28
Last Modified
2026-01-28
Generated
2026-07-06
AI Q&A
2026-01-29
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
disk_pulse disk_pulse_enterprise 10.4.18

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an authenticated reflected Cross-Site Scripting (XSS) issue in Disk Pulse Enterprise v10.4.18. It occurs in the '/monitor_directory?sid=' endpoint due to insufficient validation of the 'monitor_directory' parameter sent via POST. An attacker who is authenticated can exploit this by sending malicious content that is reflected back to an authenticated user, potentially allowing the attacker to steal information from the user's session.

Impact Analysis

The vulnerability can allow an attacker to execute malicious scripts in the context of an authenticated user's session. This can lead to theft of sensitive information such as session tokens, which may result in unauthorized access to the user's account or data compromise.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59901. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart