CVE-2025-67634

low-risk

Published 2025-12-12

The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user's browser when the user submits the page (clicks 'Next').

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.4/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Software Acquisition Guide

Affected Vendors

Cisa

References (3)

Vendor Advisory https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/...

Product https://www.cisa.gov/software-acquisition-guide/tool

Vendor Advisory https://www.cve.org/CVERecord?id=CVE-2025-67634

/ 100

low-risk

Severity 15/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal