Raspberry Pi enthusiasts who run RPi-Jukebox-RFID (the popular open-source project that turns a Pi into an RFID-triggered music jukebox, often called Phoniebox) should be aware of a stored cross-site scripting (XSS) vulnerability in version 2.8.0, tracked as CVE-2025-10370.
Discovered and publicly detailed in late 2025 (CVE published September 13, 2025), this flaw lives in the web interface's userScripts.php page. The customScript parameter meant for entering custom shell script paths or commands fails to properly sanitize or escape user input before it's reflected back into the page (likely when viewing or rendering the user scripts list). An attacker who can reach the admin web panel can inject arbitrary JavaScript that executes in the context of any user who later loads that page.
The proof-of-concept exploit shared (authored by Beatriz Fresno Naumova and published on Exploit-DB as ID 52470 in early 2026) is straightforward:
1. It posts a classic XSS payload like "><img src=x onerror=alert("XSS - CVE-2025-10370")> to the customScript field via a simple POST request to /phoniebox/htdocs/userScripts.php.
2. No authentication bypass is needed—the web UI typically requires login, so this is an authenticated stored XSS.
3. When a user accesses userScripts, once the payload has been saved, it executes. When the user accesses userScripts, an alert will appear. If the attack were real, there are numerous delivery methods for example stealing session cookies in addition to executing CSRF requests and sending users to a phishing site.
Impact here is moderate but real: on a home or small-setup jukebox, the attack surface is limited (LAN-only access by default, single-user admin). But in shared environments, maker spaces, libraries, or kiosks running this software, it could let a malicious user escalate to session hijacking or trick admins into unwanted actions.
Key points:
1. Impacts RPi-Jukebox-RFID v2.8.0.
2. Future releases have a fix - multiple vulnerabilities fixed in 2024-2025 make up for an additional security patch on the project by MichzFlor. Look in the GitHub repo for additional versions after v2.8.0 (3.x branches are... harder to patch).
3. No evidence of widespread in-the-wild exploitation, but stored XSS PoCs like this make it easy for anyone with access to weaponized.
To Mitigate Risk:
1. To upgrade your current installation, please download and install the latest version of 2.8.1 or later available at https://github.com/MiczFlor/RPi-Jukebox-RFID/releases using the instructions that are found in the wiki for the project website.
2. If an upgrade to version 2.8.1 or later is not available, be sure not to enter any untrusted input in the Custom Script field of the web interface, and also investigate using a firewall (local or IP restricted) to allow or deny access to this web interface.
3. As a best practice for configuring your Phoniebox setup you should always run your web server behind Authentication of some kind, use HTTPS if possible (a Self-Signed certificate is acceptable if on a LAN), and monitor your logs for any unusual POSTs made to userScripts.php.
4. Safely test for this vulnerability in your Test Environment: send the Proof of Concept code from this document to your own instance, then reload that page and confirm whether or not the alert will fire.
This is yet another reminder that even fun, hobbyist projects can harbor web vulns, especially when they expose a PHP-based admin panel. Kudos to the researcher for responsible disclosure and to the maintainer for keeping the project alive.
Source: Exploit DB
February 03, 2026
February 03, 2026
February 03, 2026
April 30, 2024
January 21, 2026
November 26, 2024
© 2016 - 2026 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
