Is there a public PoC exploit available for CVE-2025-11332?

Yes, a public proof-of-concept exploit is available for CVE-2025-11332. Prioritise patching immediately. EPSS: 0.0%.

CmsEasy CVE-2025-11332

Q: What is the CVSS score of CVE-2025-11332?

CVE-2025-11332 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-10-06 cna@vuldb.com

PHP XSS Cmseasy

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:00 vuln.today

DescriptionCVE.org

A vulnerability was determined in CmsEasy up to 7.7.7. This affects an unknown function in the library lib/inc/view.php of the component URL Handler. Executing a manipulation of the argument PHP_SELF can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Reflected cross-site scripting (XSS) in CmsEasy up to version 7.7.7 allows authenticated remote attackers to inject malicious scripts via manipulation of the PHP_SELF argument in the URL handler component (lib/inc/view.php). The vulnerability requires user interaction (clicking a malicious link) and user login to trigger, resulting in limited integrity impact. Publicly available exploit code exists, though EPSS score remains low at 0.03%, reflecting the significant prerequisites (authentication and user click required) that limit real-world exploitation potential. The vendor has not responded to disclosure attempts.

Technical ContextAI

The vulnerability resides in CmsEasy's URL handler component within lib/inc/view.php, where the PHP_SELF server variable is processed without proper sanitization before being output to the client. PHP_SELF is a superglobal environment variable commonly populated from the REQUEST_URI, which is attacker-controllable via HTTP requests. Improper handling of this variable in web output creates a reflected XSS vector (CWE-79). The vulnerability class is server-side code failing to validate and encode user-influenced input before rendering in HTML context. This is distinct from stored XSS as the payload must be delivered via the URL and reflected back to the victim in the same request.

RemediationAI

No vendor-released patch identified at time of analysis; the vendor did not respond to early disclosure attempts. Immediate remediation options are limited. Recommended compensating controls: (1) Implement output encoding/HTML entity encoding of all server variables including PHP_SELF before rendering in HTML context-use built-in functions such as htmlspecialchars() or htmlentities() with ENT_QUOTES flag; (2) Apply a Web Application Firewall (WAF) rule to detect and block requests with script tags or event handlers in query parameters; (3) Enforce Content Security Policy (CSP) headers with restrictive script-src directive to mitigate XSS payload execution even if injected; (4) Restrict CmsEasy administrative access to trusted IP ranges if the application is internal-facing; (5) Monitor for exploitation attempts in access logs by searching for common XSS payloads (script, onerror, onload, etc.) in URL parameters. Trade-off: WAF rules may block legitimate traffic; CSP may break functionality if application relies on inline scripts. Contact CmsEasy maintainers or consider migrating to actively maintained CMS alternatives if security updates remain unavailable.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-11332 vulnerability details – vuln.today

Back

CmsEasy CVE-2025-11332

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code