CVE-2025-11687

NameCVE-2025-11687
DescriptionA flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS).
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1118145

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gi-docgen (PTS)bookworm2023.1+ds-2vulnerable
trixie2025.3-1vulnerable
forky2025.5-1fixed
sid2026.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gi-docgensource(unstable)2025.5-11118145

Notes

[trixie] - gi-docgen <no-dsa> (Minor issue)
[bookworm] - gi-docgen <no-dsa> (Minor issue)
https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228
https://gitlab.gnome.org/GNOME/gi-docgen/-/merge_requests/254
Fixed by: https://gitlab.gnome.org/GNOME/gi-docgen/-/commit/c53d2640bfa5823bbdf33683d95c160267c0ec68 (2025.5)
Search for package or bug name: Reporting problems