CVE-2025-52331 — MEDIUM (6.1)

Vulnerability Description

Cross-site scripting (XSS) vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report directory, and IP address. The generate report command includes archived file names without validation in the HTML report, which allows potentially malicious HTML tags to be injected into the report. User interaction is required. User must use the "generate report" functionality and open the report.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Rarlab	Winrar	7.11

Related Weaknesses (CWE)

CWE-79

References

https://gist.github.com/MarcinB44/2150484497c4b34aedf682c9091b14faThird Party Advisory
https://www.rarlab.com/rarnew.htmRelease Notes
https://www.win-rar.com/whatsnew.htmlRelease Notes

FAQ

What is CVE-2025-52331?

CVE-2025-52331 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Cross-site scripting (XSS) vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report direc...

How severe is CVE-2025-52331?

CVE-2025-52331 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-52331?

Check the references section above for vendor advisories and patch information. Affected products include: Rarlab Winrar.