Skip to main content

Raytha CVE-2025-69241

| EUVDEUVD-2025-208709 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-16 CERT-PL
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.4.6
EUVD ID Assigned
Mar 16, 2026 - 12:00 euvd
EUVD-2025-208709
Analysis Generated
Mar 16, 2026 - 12:00 vuln.today
CVE Published
Mar 16, 2026 - 11:53 nvd
MEDIUM 5.3

DescriptionCVE.org

Raytha CMS is vulnerable to Stored XSS via FirstName and LastName parameters in profile editing functionality. Authenticated attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page.

This issue was fixed in version 1.4.6.

AnalysisAI

Raytha CMS contains a Stored Cross-Site Scripting (XSS) vulnerability in the profile editing functionality, specifically within the FirstName and LastName parameters. An authenticated attacker can inject arbitrary HTML and JavaScript code that persists in the application and executes in the browsers of users viewing the compromised profile, potentially leading to session hijacking, credential theft, or defacement. This vulnerability has been remediated in version 1.4.6.

Technical ContextAI

This vulnerability is a classic Stored XSS flaw (CWE-79) resulting from inadequate input validation and output encoding in Raytha CMS's user profile management module. The FirstName and LastName fields accept and store unsanitized user input without proper HTML entity encoding or Content Security Policy restrictions. When these fields are subsequently rendered in the application interface, the injected JavaScript executes in the context of other users' browsers with the same privilege level as the authenticated session. The vulnerability affects Raytha CMS (identified via CPE pattern cpe:2.3:a:raytha:raytha_cms) versions prior to 1.4.6, impacting the profile editing functionality accessible to authenticated users.

RemediationAI

Upgrade Raytha CMS to version 1.4.6 or later immediately to apply the upstream security patch. For deployments unable to patch immediately, implement input validation on the FirstName and LastName fields to reject or sanitize any HTML special characters (such as <, >, ", and &) and enforce output encoding when rendering these fields in HTML context using a templating engine with automatic escaping. Additionally, implement a Content Security Policy (CSP) header with script-src restrictions to mitigate the impact of any injected scripts. Review access controls to ensure that only necessary authenticated users can modify profile information, and audit logs for any suspicious profile modifications made during the window of exposure.

More in Raytha

View all
CVE-2026-12076 CRITICAL
9.3 Jun 30

SQL injection in Raytha CMS 1.5.2 lets a remote, unauthenticated attacker inject arbitrary SQL through the OData filter

CVE-2025-15540 HIGH
8.8 Mar 16

A code injection vulnerability in Raytha CMS's Functions module allows privileged users to execute arbitrary .NET operat

CVE-2025-69240 HIGH
7.5 Mar 16

A host header injection vulnerability in Raytha CMS allows attackers to hijack password reset tokens by spoofing X-Forwa

CVE-2025-69243 MEDIUM
6.9 Mar 16

Raytha CMS contains a user enumeration vulnerability in its password reset functionality where differing error messages

CVE-2025-69246 MEDIUM
6.9 Mar 16

Raytha CMS lacks brute force protection mechanisms, allowing attackers to conduct unlimited automated login attempts wit

CVE-2025-69238 MEDIUM
6.9 Mar 16

Raytha CMS contains a Cross-Site Request Forgery (CSRF) vulnerability across multiple endpoints that fails to enforce to

CVE-2025-69245 MEDIUM
5.1 Mar 16

Raytha CMS contains a Reflected Cross-Site Scripting (XSS) vulnerability in the logon functionality's returnUrl paramete

CVE-2025-69242 MEDIUM
5.1 Mar 16

Raytha CMS contains a reflected cross-site scripting (XSS) vulnerability in the backToListUrl parameter that allows unau

CVE-2025-69237 MEDIUM
5.1 Mar 16

Raytha CMS contains a Stored Cross-Site Scripting (XSS) vulnerability in the page creation functionality through the Fie

CVE-2025-69236 MEDIUM
5.1 Mar 16

Raytha CMS contains a Stored Cross-Site Scripting (XSS) vulnerability in the post editing functionality, specifically wi

CVE-2025-69239 MEDIUM
5.1 Mar 16

Raytha CMS contains a Server-Side Request Forgery (SSRF) vulnerability in its Theme Import from URL feature that allows

Share

CVE-2025-69241 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy