Piranha CMS
CVE-2025-67290
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
PR:L reflects that editing Page Settings requires authenticated editor access; all other metrics align with stored XSS with scope change and limited browser-level impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A stored cross-site scripting (XSS) vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field.
AnalysisAI
Stored cross-site scripting in Piranha CMS v12.1 allows script injection via the Excerpt field in the Page Settings module, executing arbitrary JavaScript in the browsers of users who subsequently view the affected page. The vulnerability carries a publicly available proof-of-concept exploit hosted on GitHub, though EPSS remains very low at 0.18% (8th percentile), indicating limited observed exploitation activity. No KEV listing exists, and no patch has been confirmed from available data at time of analysis.
Technical ContextAI
Piranha CMS (cpe:2.3:a:dotnetfoundation:piranha_cms:12.1) is an open-source .NET CMS maintained under the .NET Foundation. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input in the Excerpt field of the Page Settings module is stored without adequate sanitization or output encoding. When the stored content is later rendered in a browser context, the injected payload executes as JavaScript. The Stored XSS variant is more severe than reflected XSS because the payload persists in the database and fires automatically for every user who views the affected page, without requiring the attacker to trick the victim into following a crafted link. Scope change (S:C in the CVSS vector) confirms that the injected script executes in the victim's browser context, potentially crossing trust boundaries.
RemediationAI
No vendor-released patch has been identified at time of analysis. Operators running Piranha CMS v12.1 should monitor the official Piranha CMS GitHub repository (https://github.com/PiranhaCMS/piranha.core) for a patched release addressing this stored XSS in the Excerpt field. As a compensating control, restrict access to the Page Settings module so that only fully trusted administrator accounts can edit Excerpt content, reducing the population of principals capable of injecting payloads - note this does not eliminate the risk if admin accounts are compromised. Implementing a strict Content Security Policy (CSP) header that disallows inline script execution can significantly reduce the impact of stored XSS by preventing injected payloads from executing, though misconfigured CSP may break legitimate CMS functionality and must be tested carefully. Additionally, deploying a Web Application Firewall rule to detect and block common XSS payload patterns in POST requests to page settings endpoints can provide detection and partial mitigation. The researcher's PoC at https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67290 can be used to confirm whether a given installation is vulnerable.
More in Piranha Cms
View allPiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, e
Stored cross-site scripting in Piranha CMS v12.1 allows an attacker who can submit content to the Media module to persis
A stored cross-site scripting (XSS) vulnerability in Piranha CMS 11.1 allows remote attackers to execute arbitrary JavaS
A file upload functionality in Piranha CMS 11.1 allows authenticated remote attackers to upload a crafted PDF file to /m
In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing variou
In PiranhaCMS, versions 7.0.0 to 9.1.1 are vulnerable to stored XSS due to the page title improperly sanitized. Rated me
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today