CVE-2025-41355
Received Received - Intake
Reflected XSS in Anon Proxy Server Allows Session Hijacking

Publication date: 2026-03-31

Last updated on: 2026-04-07

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. It affects 'port' and 'proxyPort' parameters in '/anon.php' endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2025-41355
EUVD
EUVD-2025-209137
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
anonproxyserver anon_proxy_server 0.104
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The Reflected Cross-Site Scripting (XSS) vulnerability in Anon Proxy Server v0.104 allows attackers to execute malicious JavaScript in a victim's browser, potentially stealing sensitive user data such as session cookies or performing unauthorized actions on behalf of the user.

Such unauthorized access and data theft can lead to violations of data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information from unauthorized access and breaches.

Therefore, this vulnerability could negatively impact compliance with these standards by exposing sensitive user data and failing to ensure adequate security controls.

Executive Summary

This vulnerability is a Reflected Cross-Site Scripting (XSS) issue found in Anon Proxy Server version 0.104. It occurs in the 'port' and 'proxyPort' parameters of the '/anon.php' endpoint. An attacker can exploit this by sending a malicious URL to a victim, which causes the victim's browser to execute attacker-controlled JavaScript code.

The executed JavaScript can be used to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user without their consent.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in your browser when you visit a specially crafted URL. This can lead to theft of sensitive information like session cookies, which may allow attackers to hijack your sessions.

Additionally, attackers could perform unauthorized actions on your behalf within the affected application, potentially compromising your account or data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41355. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart