CVE-2025-11687: GI-DocGen vulnerable to Reflected XSS via unescaped query strings
(updated )
A flaw was found in GI-DocGen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS).
References
- access.redhat.com/security/cve/CVE-2025-11687
- bugzilla.redhat.com/show_bug.cgi?id=2403536
- github.com/GNOME/gi-docgen
- github.com/advisories/GHSA-6p6h-rqr6-62mv
- gitlab.gnome.org/GNOME/gi-docgen/-/commit/65d16b8ac178900602da540c8f5df4f52d5e8cf6
- gitlab.gnome.org/GNOME/gi-docgen/-/issues/228
- nvd.nist.gov/vuln/detail/CVE-2025-11687
Code Behaviors & Features
Detect and mitigate CVE-2025-11687 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →