CVE-2019-10260
Description
Total.js CMS 12.0.0 has XSS related to themes/admin/views/index.html (item.message) and themes/admin/public/ui.js (column.format).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Total.js CMS 12.0.0 via unsanitized message and column format fields allows arbitrary JavaScript execution.
Vulnerability
Total.js CMS 12.0.0 contains a stored cross-site scripting (XSS) vulnerability in the admin interface. The flaw exists in themes/admin/views/index.html where the item.message field is rendered without sanitization, and in themes/admin/public/ui.js where the column.format property is used directly in grid rendering. Affected versions include Total.js CMS 12.0.0 and the underlying total.js npm package up to version 3.3.0-12 [1][3].
Exploitation
An attacker with the ability to post messages or configure grid columns (e.g., an authenticated admin user or a user who can submit content that is later displayed in the admin panel) can inject malicious HTML or JavaScript. For the message vector, the attacker supplies a crafted payload in the item.message field. For the column format vector, the attacker sets a column.format value containing JavaScript. When an admin views the affected page, the payload executes in the context of the admin session [2][4].
Impact
Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the browser of any administrator viewing the affected page. This can lead to session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of the admin. The attack does not require user interaction beyond the admin viewing the crafted content [1][3].
Mitigation
The vulnerability is fixed in commit 75205f9 and 8b9d7da of the Total.js CMS repository, which wrap output with Thelpers.encode() to escape HTML [2][4]. The total.js npm package patched version 3.3.0-13 resolves the issue [3]. Users should upgrade to the patched version immediately. No workaround is available for unpatched installations.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
total.jsnpm | < 3.3.0-13 | 3.3.0-13 |
Affected products
2Patches
21 file changed · +4 −0
themes/admin/views/index.html+4 −0 modified@@ -190,6 +190,10 @@ var msg = ''; var t = common.notifications.template; + + if (item.message) + item.message = Thelpers.encode(item.message); + switch (item.type) { case 'navigation.save':
1 file changed · +1 −1
themes/admin/public/ui.js+1 −1 modified@@ -559,7 +559,7 @@ COMPONENT('grid', 'filter:true;external:false;fillcount:50;filterlabel:Filtering for (var j = 0, jl = columns.length; j < jl; j++) { var column = columns[j]; var val = items[i][column.name]; - m.value = column.template ? column.template(items[i], column) : column.render ? column.render(val, column, items[i]) : val == null ? '' : (column.format ? val.format(column.format) : val); + m.value = column.template ? column.template(items[i], column) : column.render ? column.render(val, column, items[i]) : val == null ? '' : Thelpers.encode((column.format ? val.format(column.format) : val)); m.index = j; m.align = column.align; m.background = column.background;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-72p5-2r6g-fm6vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10260ghsaADVISORY
- github.com/totaljs/cms/commit/75205f93009db3cf8c0b0f4f1fc8ab82d70da8adghsax_refsource_MISCWEB
- github.com/totaljs/cms/commit/8b9d7dada998c08d172481d9f0fc0397c4b3c78dghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.