{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-15T01:23:31.026","vulnerabilities":[{"cve":{"id":"CVE-2025-27608","sourceIdentifier":"security-advisories@github.com","published":"2025-04-02T22:15:19.510","lastModified":"2025-04-07T14:18:34.453","vulnStatus":"Awaiting Analysis","cveTags":[],"descriptions":[{"lang":"en","value":"Arduino IDE 2.x is an IDE based on the Theia IDE framework and built with Electron. A Self Cross-Site Scripting (XSS) vulnerability has been identified within the Arduino-IDE prior to version v2.3.5. The vulnerability occurs in the Additional Board Manager URLs field, which can be found in the Preferences -> Settings section of the Arduino IDE interface. In the vulnerable versions, any values entered in this field are directly displayed to the user through a notification tooltip object, without a proper output encoding routine, due to the underlying ElectronJS engine interpretation. This vulnerability exposes the input parameter to Self-XSS attacks, which may lead to security risks depending on where the malicious payload is injected. This vulnerability is fixed in 2.3.5."},{"lang":"es","value":"Arduino IDE 2.x es un IDE basado en Theia IDE framework y creado con Electron. Se ha identificado una vulnerabilidad de Cross-Site Scripting (XSS) dentro del Arduino-IDE antes de la versión v2.3.5. La vulnerabilidad ocurre en el campo URLS de Administrador de placa adicional, que se puede encontrar en la sección Preferencias -&gt; Configuración de la interfaz IDE Arduino. En las versiones vulnerables, los valores ingresados ??en este campo se muestran directamente al usuario a través de un objeto de información sobre herramientas de notificación, sin una rutina de codificación de salida adecuada, debido a la interpretación subyacente del motor ElectronJS. Esta vulnerabilidad expone el parámetro de entrada a los ataques AutoXSS, lo que puede conducir a riesgos de seguridad dependiendo de dónde se inyecte el payload malicioso. Esta vulnerabilidad se fija en 2.3.5."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0\/AV:L\/AC:L\/AT:N\/PR:N\/UI:A\/VC:L\/VI:L\/VA:N\/SC:N\/SI:N\/SA:N\/E:U\/CR:X\/IR:X\/AR:X\/MAV:X\/MAC:X\/MAT:X\/MPR:X\/MUI:X\/MVC:X\/MVI:X\/MVA:X\/MSC:X\/MSI:X\/MSA:X\/S:X\/AU:X\/R:X\/V:X\/RE:X\/U:X","baseScore":1.0,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https:\/\/github.com\/arduino\/arduino-ide\/commit\/d298b3ffc94008e89066cd999d891e84190da18f","source":"security-advisories@github.com"},{"url":"https:\/\/github.com\/arduino\/arduino-ide\/security\/advisories\/GHSA-252h-4j5q-88pc","source":"security-advisories@github.com"}]}}]}