Moderate severityNVD Advisory· Published Nov 10, 2021· Updated Apr 30, 2025
Publify - Stored Cross-Site Scripting (XSS) in Editor
CVE-2021-25974
Description
In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
publify_coreRubyGems | >= 8.0, < 9.2.5 | 9.2.5 |
Affected products
3- osv-coords2 versions
>= 8.0.0, < 9.2.4+ 1 more
- (no CPE)range: >= 8.0.0, < 9.2.4
- (no CPE)range: >= 8.0, < 9.2.5
- publify_core/publify_corev5Range: v8.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-wmh9-x28j-c6grghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25974ghsaADVISORY
- github.com/publify/publify/commit/fefd5f76302adcc425b2b6e7e7d23587cfc0083eghsax_refsource_MISCWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.