Skip to main content

Piranha CMS CVE-2025-67291

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-22 cve@mitre.org
6.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

CMS Media module write access typically requires authenticated contributor access (PR:L, not PR:N); all other metrics align with stored XSS scope-change characteristics.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 04:25 vuln.today

DescriptionCVE.org

A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field.

AnalysisAI

Stored cross-site scripting in Piranha CMS v12.1 allows an attacker who can submit content to the Media module to persist malicious JavaScript in the Name field, which then executes in victims' browsers when the Media section is viewed. A publicly available proof-of-concept exploit exists on GitHub, meaningfully lowering the barrier to exploitation. Despite the network-accessible attack vector and cross-context scope change (S:C), EPSS sits at 0.18% (8th percentile) with no CISA KEV listing, indicating limited real-world exploitation of this niche platform at time of analysis.

Technical ContextAI

Piranha CMS is an open-source .NET CMS maintained under the .NET Foundation (CPE: cpe:2.3:a:dotnetfoundation:piranha_cms:12.1:*:*:*:*:*:*:*). The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a stored (persistent) XSS variant. User-supplied input in the Media module's Name field is stored without adequate sanitization or output encoding, so when any user with access to the Media admin interface subsequently views the listing, the injected payload executes in their browser context. The scope change metric (S:C) reflects that a payload injected in one security context (the content submission layer) executes in a different context - typically an authenticated administrator session - which is characteristic of stored XSS in CMS admin panels.

RemediationAI

No vendor-released patch is identified at time of analysis - the only available reference is the researcher PoC, and no vendor advisory or fixed version number has been confirmed. As a compensating control, restrict access to the Piranha CMS Media module to trusted, authenticated users and enforce the principle of least privilege so that untrusted contributors cannot upload or rename media items; note this may limit legitimate content workflows. Implementing a Web Application Firewall rule to detect and block HTML or script tags in the Name field can reduce exposure, though such rules may produce false positives on media names containing angle brackets or special characters. Organizations should actively monitor the Piranha CMS GitHub repository for a patched release and apply it promptly upon availability. If the Media upload endpoint is exposed without authentication, it should be restricted to authenticated sessions immediately as a priority measure.

Share

CVE-2025-67291 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy