CVE-2025-40986
Received Received - Intake
Reflected XSS in PideTuCita cookies/indes.php Enables Data Theft

Publication date: 2026-02-23

Last updated on: 2026-02-23

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Reflected Cross-Site Scripting (XSS) vulnerability in PideTuCita. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL using the endpoint 'cookies/indes.php/<XSS>'. This vulnerability can be exploited to steal confidential user data, such as session cookies or to perform actions on behalf of the user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-40986
EUVD
EUVD-2025-207658
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pidetucita pidetucita to 6.0.52 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-40986 is a reflected Cross-Site Scripting (XSS) vulnerability in PideTuCita versions prior to 6.0.52.'}, {'type': 'paragraph', 'content': "This vulnerability allows an attacker to execute arbitrary JavaScript code in a victim’s browser by sending a malicious URL targeting the endpoint 'cookies/indes.php/<XSS>'."}, {'type': 'paragraph', 'content': 'The attacker can exploit this flaw to steal sensitive user data such as session cookies or perform unauthorized actions on behalf of the user.'}] [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious JavaScript code in your browser.

  • Steal confidential user data such as session cookies.
  • Perform unauthorized actions on your behalf within the affected application.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the PideTuCita application for reflected Cross-Site Scripting (XSS) on the endpoint 'cookies/indes.php/'."}, {'type': 'paragraph', 'content': 'A common method is to send a crafted URL containing a JavaScript payload to the vulnerable endpoint and observe if the script is executed in the browser.'}, {'type': 'paragraph', 'content': 'For example, you can use curl or a browser to request a URL like: http://<target>/cookies/indes.php/<script>alert(1)</script> and check if the alert is triggered.'}, {'type': 'paragraph', 'content': 'Alternatively, use web vulnerability scanners that support XSS detection to automate this process.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade PideTuCita to version 6.0.52 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, consider implementing input validation and output encoding on the affected endpoint to prevent execution of malicious scripts.

Additionally, monitor and restrict access to the vulnerable endpoint and educate users to avoid clicking on suspicious URLs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40986. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart