CVE-2025-27404: 
Linux Debian vulnerability analysis and mitigation

Icinga Web 2, an open source monitoring web interface, framework and command-line interface, was found to contain a DOM-based Cross-Site Scripting (XSS) vulnerability (CVE-2025-27404). The vulnerability affects versions prior to 2.11.5 and 2.12.13, allowing attackers to craft malicious URLs that, when visited by users, can embed arbitrary JavaScript code into Icinga Web and execute actions on behalf of the victim (NVD, GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.6 (High) with the following vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H. This indicates that while the attack requires high complexity and high privileges, it can result in significant impact across confidentiality, integrity, and availability when successfully exploited. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (GitHub Advisory).

When successfully exploited, the vulnerability allows attackers to embed and execute arbitrary JavaScript code in the context of the victim's browser session. This can lead to complete compromise of the user's session, potentially allowing attackers to perform any action available to the affected user within Icinga Web (GitHub Advisory).

The vulnerability has been patched in Icinga Web 2 versions 2.11.5 and 2.12.3. For users running version 2.12.2 who cannot immediately upgrade, a workaround is available by enabling Content Security Policy (CSP) in the application settings (GitHub Release, GitHub Advisory).

The vulnerability was discovered and reported by security researcher Alemmi, with coordination handled by u238. The vendor has classified this as a high-severity issue and recommends immediate upgrade to the patched versions (GitHub Advisory).