These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2025-36558 is a reflected cross-site scripting vulnerability in KUNBUS PiCtory version 2.11.1 and earlier. According to the CISA CSAF advisory, an attacker can supply a PiCtory URL with HTML/script content in the sso_token used for authentication, causing the script to be returned to the user and executed. The advisory rates the issue CVSS 6.1 (medium) and lists PiCtory 2.12 as the remediation target.
CVE-2025-35996 is a critical cross-site scripting issue in KUNBUS PiCtory 2.11.1 and earlier. An authenticated remote attacker can supply a specially crafted filename through API endpoints; when that filename is later shown in the list of configuration files, missing escaping or sanitization can cause the browser to execute it as HTML/script content.
CVE-2025-32011 is a critical remote authentication bypass affecting KUNBUS Revolution Pi PiCtory versions 2.5.0 through 2.11.1. The issue is described in the CISA CSAF advisory as a path traversal condition that can let a remote attacker access the application without valid authentication. CISA published the advisory on 2025-05-01 and updated it on 2025-07-10, noting an additional image release in the mit [truncated]