CVE-2025-13672

Reflected Cross-Site Scripting discovered in OpenText WSM Management Server.

CVSS 7 HIGHEPSS 0.2%CWE-79

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7EPSS 0.2%KEV nãoPoC —Patch —

Lifecycle

Feb 19, 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Reflected XSS. The vulnerability could allow injecting malicious JavaScript inside URL parameters that was then rendered with the preview of the page, so that malicious scripts could be executed on the client side. This issue affects Web Site Management Server: 16.7.0, 16.7.1.

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/S:P/AU:N/R:U/V:D/RE:H/U:Red

Affected products

OpenText™ · Web Site Management Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/MarioTesoro/vulnerability-research/blob/main/CVE-2025-13672/README.md https://support.opentext.com/csm/en?id=ot_kb_unauthenticated&sysparm_article=KB0854847