HTML Injection vulnerability in the 'manageApiKeys' component in Grocy <= 4.0.3 allows attackers to inject arbitrary HTML content without script execution. This occurs when user-supplied data is not appropriately sanitized, enabling the injection of HTML tags through parameter values. The attacker can then manipulate page content in the QR code detail popup, often coupled with social engineering tactics, exploiting both the trust of users and the application's lack of proper input handling.
Conclusion & alert: CVE-2023-48199 is rated Exploit Available (59.2/100): CVSS High severity, with low exploitation likelihood (EPSS 0.50%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 1.06% | 0.50% | -0.56% |
| 2 | 2026-04-26 | 0.91% | 1.06% | +0.15% |
| 3 | 2026-02-25 | — | 0.91% | — |
Full EPSS history (15 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.8 | 3.1 | HIGH |
|
1.8 | 5.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2023-48199: 1 source package rows (grocy); 1 state rows across 1 repos (3.19-community); fixed 0, open 1. | https://security.alpinelinux.org/vuln/CVE-2023-48199 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| grocy_project | grocy | 4.0.3 | cpe:2.3:a:grocy_project:grocy:4.0.3:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/grocy/grocy | Product |
| https://grocy.info | Product |
| https://nitipoom-jar.github.io/CVE-2023-48199/ | Exploit Third Party Advisory |
| https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2023-48199 |