Skip to main content

Piranha CMS CVE-2025-67290

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-22 cve@mitre.org
6.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L reflects that editing Page Settings requires authenticated editor access; all other metrics align with stored XSS with scope change and limited browser-level impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 04:24 vuln.today

DescriptionCVE.org

A stored cross-site scripting (XSS) vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field.

AnalysisAI

Stored cross-site scripting in Piranha CMS v12.1 allows script injection via the Excerpt field in the Page Settings module, executing arbitrary JavaScript in the browsers of users who subsequently view the affected page. The vulnerability carries a publicly available proof-of-concept exploit hosted on GitHub, though EPSS remains very low at 0.18% (8th percentile), indicating limited observed exploitation activity. No KEV listing exists, and no patch has been confirmed from available data at time of analysis.

Technical ContextAI

Piranha CMS (cpe:2.3:a:dotnetfoundation:piranha_cms:12.1) is an open-source .NET CMS maintained under the .NET Foundation. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input in the Excerpt field of the Page Settings module is stored without adequate sanitization or output encoding. When the stored content is later rendered in a browser context, the injected payload executes as JavaScript. The Stored XSS variant is more severe than reflected XSS because the payload persists in the database and fires automatically for every user who views the affected page, without requiring the attacker to trick the victim into following a crafted link. Scope change (S:C in the CVSS vector) confirms that the injected script executes in the victim's browser context, potentially crossing trust boundaries.

RemediationAI

No vendor-released patch has been identified at time of analysis. Operators running Piranha CMS v12.1 should monitor the official Piranha CMS GitHub repository (https://github.com/PiranhaCMS/piranha.core) for a patched release addressing this stored XSS in the Excerpt field. As a compensating control, restrict access to the Page Settings module so that only fully trusted administrator accounts can edit Excerpt content, reducing the population of principals capable of injecting payloads - note this does not eliminate the risk if admin accounts are compromised. Implementing a strict Content Security Policy (CSP) header that disallows inline script execution can significantly reduce the impact of stored XSS by preventing injected payloads from executing, though misconfigured CSP may break legitimate CMS functionality and must be tested carefully. Additionally, deploying a Web Application Firewall rule to detect and block common XSS payload patterns in POST requests to page settings endpoints can provide detection and partial mitigation. The researcher's PoC at https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67290 can be used to confirm whether a given installation is vulnerable.

Share

CVE-2025-67290 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy