Vulnerability Description
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lavalite | Lavalite | <= 10.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/LavaLite/cms/issues/420ExploitIssue Tracking
- https://lavalite.org/Product
- https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creatioThird Party Advisory
FAQ
What is CVE-2025-71177?
CVE-2025-71177 is a vulnerability with a CVSS score of 5.4 (MEDIUM). LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or Ja...
How severe is CVE-2025-71177?
CVE-2025-71177 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-71177?
Check the references section above for vendor advisories and patch information. Affected products include: Lavalite Lavalite.