CVE-2025-67984 in NPS Computy Plugin
Summary
by MITRE • 02/20/2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in calliko NPS computy nps-computy allows DOM-Based XSS.This issue affects NPS computy: from n/a through <= 2.8.2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/22/2026
The vulnerability identified as CVE-2025-67984 represents a critical cross-site scripting flaw within the calliko NPS computy nps-computy application, specifically manifesting as a DOM-based XSS vulnerability that poses significant security risks to web applications. This issue stems from improper neutralization of input during web page generation processes, creating an avenue for malicious actors to inject and execute arbitrary JavaScript code within the victim's browser context. The vulnerability affects all versions of the NPS computy application from the initial release through version 2.8.2, indicating a persistent flaw that has remained unaddressed across multiple iterations of the software.
The technical implementation of this vulnerability occurs within the application's web page generation mechanisms where user-supplied input is not adequately sanitized or escaped before being processed and rendered in the browser's Document Object Model. DOM-based XSS vulnerabilities are particularly concerning because they exploit the browser's interpretation of dynamic content rather than traditional server-side input validation failures, making them more difficult to detect and prevent. The flaw allows attackers to manipulate the DOM structure through malicious input parameters that are subsequently executed in the victim's browser, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the user. This type of vulnerability directly maps to CWE-79, which specifically addresses cross-site scripting conditions where input is not properly neutralized.
The operational impact of this vulnerability extends beyond simple data exposure, as it enables attackers to establish persistent footholds within affected systems. When exploited, the DOM-based XSS vulnerability allows threat actors to execute malicious scripts that can capture user credentials, modify page content, redirect users to malicious sites, or perform actions that appear to originate from legitimate users within the application. The attack vector typically involves crafting malicious URLs or input parameters that, when processed by the vulnerable application, trigger the execution of harmful JavaScript code in the victim's browser environment. This vulnerability is particularly dangerous in enterprise environments where NPS computy applications may handle sensitive user data and administrative functions, as successful exploitation could lead to complete compromise of user sessions and potential lateral movement within network infrastructure.
Mitigation strategies for CVE-2025-67984 require immediate attention through comprehensive input validation and output encoding mechanisms. Organizations should implement robust content security policies that restrict script execution within the application's DOM, employ proper HTML escaping techniques for all dynamic content, and utilize modern web application firewalls to detect and block suspicious input patterns. The recommended approach includes updating to patched versions of the NPS computy application where available, implementing strict input sanitization routines, and conducting thorough security testing to identify similar vulnerabilities within the application's codebase. Additionally, security teams should monitor for exploitation attempts through network traffic analysis and implement proper logging mechanisms to track suspicious activities that may indicate attempted exploitation of this vulnerability. The remediation process should align with ATT&CK framework techniques related to defensive measures against client-side attacks, emphasizing the importance of proper input validation and output encoding as fundamental security controls. Organizations must also consider implementing user education programs to recognize potential phishing attempts that may leverage this vulnerability, as well as establishing incident response procedures specifically designed to handle cross-site scripting exploitation scenarios.