CVE-2025-27609: 
Linux Debian vulnerability analysis and mitigation

Icinga Web 2, an open source monitoring web interface, framework and command-line interface, was found to contain a cross-site scripting vulnerability (CVE-2025-27609). The vulnerability affects versions prior to 2.11.5 and 2.12.13, allowing attackers to craft requests that can embed arbitrary JavaScript code into a victim's Icinga Web instance (GitHub Advisory). The issue was discovered and reported by moezbouzayani9, and was officially disclosed on March 26, 2025 (NVD).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v4.0 score is rated as LOW with a base vector of CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U (NVD).

When successfully exploited, the vulnerability enables attackers to embed arbitrary JavaScript code into the victim's Icinga Web instance, allowing them to act on behalf of the affected user (GitHub Advisory).

The vulnerability has been patched in Icinga Web 2 versions 2.11.5 and 2.12.3. For users running version 2.12.2 who cannot immediately update, enabling Content Security Policy (CSP) in the application settings serves as a temporary workaround. Additionally, modern browsers with functioning CORS implementations provide sufficient protection against this vulnerability (GitHub Advisory).