Piranha CMS
CVE-2025-67291
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CMS Media module write access typically requires authenticated contributor access (PR:L, not PR:N); all other metrics align with stored XSS scope-change characteristics.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field.
AnalysisAI
Stored cross-site scripting in Piranha CMS v12.1 allows an attacker who can submit content to the Media module to persist malicious JavaScript in the Name field, which then executes in victims' browsers when the Media section is viewed. A publicly available proof-of-concept exploit exists on GitHub, meaningfully lowering the barrier to exploitation. Despite the network-accessible attack vector and cross-context scope change (S:C), EPSS sits at 0.18% (8th percentile) with no CISA KEV listing, indicating limited real-world exploitation of this niche platform at time of analysis.
Technical ContextAI
Piranha CMS is an open-source .NET CMS maintained under the .NET Foundation (CPE: cpe:2.3:a:dotnetfoundation:piranha_cms:12.1:*:*:*:*:*:*:*). The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a stored (persistent) XSS variant. User-supplied input in the Media module's Name field is stored without adequate sanitization or output encoding, so when any user with access to the Media admin interface subsequently views the listing, the injected payload executes in their browser context. The scope change metric (S:C) reflects that a payload injected in one security context (the content submission layer) executes in a different context - typically an authenticated administrator session - which is characteristic of stored XSS in CMS admin panels.
RemediationAI
No vendor-released patch is identified at time of analysis - the only available reference is the researcher PoC, and no vendor advisory or fixed version number has been confirmed. As a compensating control, restrict access to the Piranha CMS Media module to trusted, authenticated users and enforce the principle of least privilege so that untrusted contributors cannot upload or rename media items; note this may limit legitimate content workflows. Implementing a Web Application Firewall rule to detect and block HTML or script tags in the Name field can reduce exposure, though such rules may produce false positives on media names containing angle brackets or special characters. Organizations should actively monitor the Piranha CMS GitHub repository for a patched release and apply it promptly upon availability. If the Media upload endpoint is exposed without authentication, it should be restricted to authenticated sessions immediately as a priority measure.
More in Piranha Cms
View allPiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, e
Stored cross-site scripting in Piranha CMS v12.1 allows script injection via the Excerpt field in the Page Settings modu
A stored cross-site scripting (XSS) vulnerability in Piranha CMS 11.1 allows remote attackers to execute arbitrary JavaS
A file upload functionality in Piranha CMS 11.1 allows authenticated remote attackers to upload a crafted PDF file to /m
In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing variou
In PiranhaCMS, versions 7.0.0 to 9.1.1 are vulnerable to stored XSS due to the page title improperly sanitized. Rated me
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today