Vulnerability Description
REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. This issue has been patched in version 5.20.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redaxo | Redaxo | < 5.20.1 |
Related Weaknesses (CWE)
References
- https://github.com/redaxo/redaxo/commit/58929062312cf03e344ab04067a365e6b6ee66aaPatch
- https://github.com/redaxo/redaxo/security/advisories/GHSA-x6vr-q3vf-vqgqExploitVendor Advisory
- https://github.com/redaxo/redaxo/security/advisories/GHSA-x6vr-q3vf-vqgqExploitVendor Advisory
FAQ
What is CVE-2025-66026?
CVE-2025-66026 is a vulnerability with a CVSS score of 6.1 (MEDIUM). REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info b...
How severe is CVE-2025-66026?
CVE-2025-66026 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66026?
Check the references section above for vendor advisories and patch information. Affected products include: Redaxo Redaxo.