CVE-2025-11687 — GI-DocGen vulnerable to Reflected XSS via unescaped query strings

Description

A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS).

How to fix CVE-2025-11687

To remediate CVE-2025-11687, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 2025.5 or later

Is CVE-2025-11687 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 2025.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-11687
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-11687
PATCHgithub.com/GNOME/gi-docgen
WEBaccess.redhat.com/security/cve/CVE-2025-11687
WEB