CVE-2025-30223CRITICAL 9.6EPSS p40.8%

CVE-2025-30223CVE-2025-30223

Description

Beego is an open-source web framework for the Go programming language. Prior to 2.3.6, a Cross-Site Scripting (XSS) vulnerability exists in Beego's RenderForm() function due to improper HTML escaping of user-controlled data. This vulnerability allows attackers to inject malicious JavaScript code that executes in victims' browsers, potentially leading to session hijacking, credential theft, or account takeover. The vulnerability affects any application using Beego's RenderForm() function with user-provided data. Since it is a high-level function generating an entire form markup, many developers would assume it automatically escapes attributes (the way most frameworks do). This vulnerability is fixed in 2.3.6.

Scoring

CVSS 3.19.6 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS0.53% probability of exploitation · percentile 40.8% · 2026-06-18T12:00:27Z
Published2025-03-31
Last modified2025-08-01

Underlying weaknesses· 1

CWE-79

References

  1. https://github.com/beego/beego/commit/939bb18c66406466715ddadd25dd9ffa6f169e25
  2. https://github.com/beego/beego/security/advisories/GHSA-2j42-h78h-q4fg

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-53587
CVE
CVE-2025-58250
CVE
CVE-2025-2307
CVE
CVE-2025-61732
CVE
CVE-2025-6396
CVE
CVE-2025-12233
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.