CISA Software Acquisition Guide Supplier Response Web Tool Cross-Site Scripting Vulnerability

Vulnerability

A cross-site scripting vulnerability has been identified in the CISA Software Acquisition Guide Supplier Response Web Tool, affecting versions prior to December 11, 2025. The issue arises from text fields that allow the injection of malicious JavaScript. If an attacker convinces a user to import a specially-crafted JSON file, the Tool will execute the embedded JavaScript in the context of the user's browser when the page is submitted.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected JavaScript is executed in the user's browser, potentially leading to session hijacking or other malicious actions.

Added: Dec 12, 2025, 9:38 PM

Updated: Dec 12, 2025, 9:38 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.4

remediation

0.0

relevance

1.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.4

remediation

0.0

relevance

1.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

CISA Software Acquisition Guide Supplier Response Web Tool Cross-Site Scripting Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating