A reflected Cross-Site Scripting (XSS) vulnerability has been
found in Eventobot. This vulnerability allows an attacker to execute
JavaScript code in the victim's browser by sending him/her a malicious
URL using the 'name' parameter in '/search-results'. This vulnerability
can be exploited to steal sensitive user data, such as session cookies,
or to perform actions on behalf of the user.
all versions - AFFECTED
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2025-40638",
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"dateUpdated": "2026-03-09T09:04:35.730Z",
"dateReserved": "2025-04-16T08:38:10.819Z",
"datePublished": "2026-03-09T09:04:35.730Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE",
"dateUpdated": "2026-03-09T09:04:35.730Z"
},
"datePublic": "2026-03-09T09:03:00.000Z",
"title": "Reflected Cross-Site Scripting (XSS) in Eventobot",
"descriptions": [
{
"lang": "en",
"value": "A reflected Cross-Site Scripting (XSS) vulnerability has been \nfound in Eventobot. This vulnerability allows an attacker to execute \nJavaScript code in the victim's browser by sending him/her a malicious \nURL using the 'name' parameter in '/search-results'. This vulnerability \ncan be exploited to steal sensitive user data, such as session cookies, \nor to perform actions on behalf of the user.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "A reflected Cross-Site Scripting (XSS) vulnerability has been \nfound in Eventobot. This vulnerability allows an attacker to execute \nJavaScript code in the victim's browser by sending him/her a malicious \nURL using the 'name' parameter in '/search-results'. This vulnerability \ncan be exploited to steal sensitive user data, such as session cookies, \nor to perform actions on behalf of the user."
}
]
}
],
"affected": [
{
"vendor": "EVENTOBOT",
"product": "Eventobot",
"defaultStatus": "unaffected",
"versions": [
{
"version": "all versions",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-eventobot",
"tags": [
"patch"
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"solutions": [
{
"lang": "en",
"value": "The vulnerability has been fixed by the Eventobot team in the latest version.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": " The vulnerability has been fixed by the Eventobot team in the latest version. "
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Gonzalo Aguilar García (6h4ack)",
"type": "finder"
}
]
}
}
}