CVE-2025-30755: 
NixOS vulnerability analysis and mitigation

OpenGrok 1.14.1 contains a reflected Cross-Site Scripting (XSS) vulnerability that occurs when producing the cross reference page. The vulnerability was discovered in September 2025 and was assigned CVE-2025-30755. The issue specifically affects OpenGrok version 1.14.1 and stems from improper handling of the revision parameter (Oracle Advisory, NVD).

The vulnerability occurs due to improper handling of the revision parameter where the application reflects unsanitized user input into the HTML output. The issue has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

When successfully exploited, this vulnerability can lead to cross-site scripting attacks, potentially allowing attackers to execute malicious scripts in the context of the user's browser session. This could result in theft of sensitive information, session hijacking, or other client-side attacks (NVD).

The vulnerability was reported to Oracle and documented in their security advisory. Users should monitor Oracle's security advisories for patches and updates to address this vulnerability (Oracle Advisory).