Skip to main content

ZCMS CVE-2025-7748

LOW
Cross-site Scripting (XSS) (CWE-79)
2025-07-17 cna@vuldb.com
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:20 vuln.today

DescriptionCVE.org

A vulnerability classified as problematic was found in ZCMS 3.6.0. This vulnerability affects unknown code of the component Create Article Page. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Reflected cross-site scripting (XSS) in ZCMS 3.6.0 Create Article Page allows authenticated attackers to inject malicious scripts via the Title parameter. The vulnerability requires user interaction (clicking a malicious link) and results in limited impact to integrity, with EPSS score of 0.05% (14th percentile) indicating minimal real-world exploitation probability despite public disclosure.

Technical ContextAI

ZCMS is a content management system where the Create Article Page component fails to properly sanitize user-supplied input in the Title parameter before reflecting it in HTTP responses. This is a classic reflected XSS vulnerability (CWE-79) where an attacker crafts a malicious URL containing script payload in the Title parameter, and when a logged-in user clicks the link, the unfiltered payload executes in their browser context. The vulnerability requires the victim to already be authenticated to the application and to interact with the malicious link, limiting the attack surface compared to stored XSS or unauthenticated vulnerabilities.

Affected ProductsAI

ZCMS version 3.6.0 is confirmed affected. The vulnerability is specific to the Create Article Page component's Title parameter handling. No indication of fixed versions or newer releases is provided in available references, suggesting the affected product may be abandoned or unmaintained.

RemediationAI

Apply input validation and output encoding to the Title parameter in the Create Article Page component. Implement HTML entity encoding for all user-supplied input before rendering in HTML context, or use a context-aware templating engine that automatically escapes output. If vendor patches are unavailable for ZCMS 3.6.0 (which is likely given the project age and reporting source), compensating controls include: (1) Implement a Web Application Firewall (WAF) rule to detect and block common XSS payloads in the Title parameter with trade-off of false positives requiring tuning, (2) Apply strict Content Security Policy (CSP) headers to prevent inline script execution with trade-off of potential application breakage if the application relies on inline scripts, (3) Restrict Create Article Page access to trusted administrator roles only via access controls. For long-term mitigation, consider migrating to an actively maintained CMS solution. References available at vuldb.com/?id.316738.

Share

CVE-2025-7748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy