CVE-2025-8032

XSLT documents could bypass CSP

CVSS 8.1 HIGHEPSS 0.3%CWE-693

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.1EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

22 Jul 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected products

Mozilla · Firefox Mozilla · Thunderbird

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1974407 https://lists.debian.org/debian-lts-announce/2025/07/msg00016.html https://www.mozilla.org/security/advisories/mfsa2025-56/https://www.mozilla.org/security/advisories/mfsa2025-58/https://www.mozilla.org/security/advisories/mfsa2025-59/https://www.mozilla.org/security/advisories/mfsa2025-61/https://www.mozilla.org/security/advisories/mfsa2025-62/https://www.mozilla.org/security/advisories/mfsa2025-63/