Vulnerability-Lookup

CNVD-2026-03178

Vulnerability from cnvd - Published: 2026-01-09

Title

Growatt ShineLan-X跨站脚本漏洞（CNVD-2026-0317861）

Description

Growatt ShineLan-X是古瑞瓦特公司（Growatt）推出的一款太阳能逆变器数据采集器，主要用于将太阳能逆变器连接到网络，实现数据的远程监控和管理。 Growatt ShineLan-X存在跨站脚本漏洞，该漏洞源于本地配置Web服务器对用户提供的数据缺乏有效过滤与转义，目前没有详细的漏洞细节提供。

Severity

高

Formal description

目前厂商尚未发布升级程序修复该安全问题，详情见厂商官网： https://www.growatt.com/

Reference

https://csirt.divd.nl/CVE-2025-36748/

Impacted products

Name
Growatt ShineLan-X >=3.6.0.0，<=3.6.0.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-36748",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-36748"
    }
  },
  "description": "Growatt ShineLan-X\u662f\u53e4\u745e\u74e6\u7279\u516c\u53f8\uff08Growatt\uff09\u63a8\u51fa\u7684\u4e00\u6b3e\u592a\u9633\u80fd\u9006\u53d8\u5668\u6570\u636e\u91c7\u96c6\u5668\uff0c\u4e3b\u8981\u7528\u4e8e\u5c06\u592a\u9633\u80fd\u9006\u53d8\u5668\u8fde\u63a5\u5230\u7f51\u7edc\uff0c\u5b9e\u73b0\u6570\u636e\u7684\u8fdc\u7a0b\u76d1\u63a7\u548c\u7ba1\u7406\u3002\n\nGrowatt ShineLan-X\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672c\u5730\u914d\u7f6eWeb\u670d\u52a1\u5668\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u6570\u636e\u7f3a\u4e4f\u6709\u6548\u8fc7\u6ee4\u4e0e\u8f6c\u4e49\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://www.growatt.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-03178",
  "openTime": "2026-01-09",
  "products": {
    "product": "Growatt ShineLan-X \u003e=3.6.0.0\uff0c\u003c=3.6.0.2"
  },
  "referenceLink": "https://csirt.divd.nl/CVE-2025-36748/",
  "serverity": "\u9ad8",
  "submitTime": "2025-12-25",
  "title": "Growatt ShineLan-X\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2026-0317861\uff09"
}

CVE-2025-36748 (GCVE-0-2025-36748)

Vulnerability from cvelistv5 – Published: 2025-12-13 08:16 – Updated: 2025-12-16 11:02

Title

Stored Cross-Site Scripting (XSS) vulnerability in Growatt ShineLan-X

Summary

ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code.

Severity ?

8.4 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Assigner

DIVD

References

URL

Tags

https://csirt.divd.nl/CVE-2025-36748/

third-party-advisory

Impacted products

	Vendor	Product	Version
	Growatt	ShineLan-X	Affected: 3.6.0.0 , ≤ 3.6.0.2 (semver)

Credits

Hamid Rahmouni Victor Pasman

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-36748",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-15T20:27:50.124259Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-15T20:33:24.697Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ShineLan-X",
          "vendor": "Growatt",
          "versions": [
            {
              "lessThanOrEqual": "3.6.0.2",
              "status": "affected",
              "version": "3.6.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Hamid Rahmouni"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Victor Pasman"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "ShineLan-X contains\u00a0a stored cross site scripting (XSS) vulnerability in the local configuration\u00a0web server. The JavaScript code snippet can be inserted\u00a0in the communication module\u2019s settings center. This may allow attackers to force a\u00a0legitimate user\u2019s browser\u2019s JavaScript engine to run malicious code."
            }
          ],
          "value": "ShineLan-X contains\u00a0a stored cross site scripting (XSS) vulnerability in the local configuration\u00a0web server. The JavaScript code snippet can be inserted\u00a0in the communication module\u2019s settings center. This may allow attackers to force a\u00a0legitimate user\u2019s browser\u2019s JavaScript engine to run malicious code."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-441",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-441 Malicious Logic Insertion"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T11:02:11.082Z",
        "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "shortName": "DIVD"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://csirt.divd.nl/CVE-2025-36748/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Stored Cross-Site Scripting (XSS) vulnerability in Growatt ShineLan-X",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
    "assignerShortName": "DIVD",
    "cveId": "CVE-2025-36748",
    "datePublished": "2025-12-13T08:16:23.523Z",
    "dateReserved": "2025-04-15T21:54:36.814Z",
    "dateUpdated": "2025-12-16T11:02:11.082Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-03178

CVE-2025-36748 (GCVE-0-2025-36748)

Tags

Sightings

Nomenclature