CVE-2025-41000

Cross-Frame Scripting (XFS) in BoomCMS

CVSS 2.1 LOWEPSS 0.3%CWE-1021

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 2.1EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

03 Sep 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Cross-Frame Scripting (XFS) vulnerability in BoomCMS v9.1.4 from UXB London. XFS is a web attack technique that exploits specific browser bugs to spy on users via JavaScript. This type of attack is based on social engineering and depends entirely on the browser chosen by the user, so it is perceived as a minor threat to web application security. This vulnerability only works in older browsers.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

BoomCMS · BoomCMS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.incibe.es/en/incibe-cert/notices/aviso/cross-frame-scripting-xfs-boomcms