CVE-2025-11183: QGIS QWC2 Cross-Site Scripting vulnerability

October 13, 2025

Cross-Site Scripting vulnerability in attribute table in QGIS QWC2 < 2025.08.14 allows an authorized attacker to plant arbitrary JavaScript code in the page.

References

github.com/advisories/GHSA-gxp8-m5rq-3m38
github.com/qgis/qwc2
hub.ntc.swiss/ntcf-2025-4286
nvd.nist.gov/vuln/detail/CVE-2025-11183

Code Behaviors & Features

Detect and mitigate CVE-2025-11183 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →