Multiple vulnerabilities in Kubysoft
Posted date 16/02/2026
Identificador
INCIBE-2026-116
Importance
3 - Medium
Affected Resources
Kubysoft.
Description
INCIBE has coordinated the publication of three medium-severity vulnerabilities affecting Kubysoft, a cloud-based enterprise resource planning (ERP) software platform. The vulnerabilities were discovered by David Padilla Alvarado.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:
- CVE-2025-59904: CVSS v4.0: 5.1 | AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
- CVE-2025-59905: CVSS v4.0: 4.8 | AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
The vulnerabilities have been fixed by the Kubysoft team in the latest version of the software.
Detail
- CVE-2025-59904: stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, which is triggered through multiple parameters in the '/kForms/app' endpoint. This issue allows malicious scripts to be injected and executed persistently in the context of users accessing the affected resource.
- CVE-2025-59905: reflected Cross-Site Scripting (XSS) vulnerability in Kubysoft, which occurs through multiple parameters within the endpoint ‘/node/kudaby/nodeFN/procedure’. This flaw allows the injection of arbitrary client-side scripts, which are immediately reflected in the HTTP response and executed in the victim's browser.
CVE
Explotación
No
CVE
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2025-59904 | Media | No | Kubysoft |
| CVE-2025-59905 | Media | No | Kubysoft |
References list
Etiquetas
