flusity CMS posts.php loadPostAddForm cross site scripting
Description
A vulnerability, which was classified as problematic, has been found in flusity CMS. This issue affects the function loadPostAddForm of the file core/tools/posts.php. The manipulation of the argument edit_post_id leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The identifier of the patch is 6943991c62ed87c7a57989a0cb7077316127def8. It is recommended to apply a patch to fix this issue. The identifier VDB-243641 was assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability exists in flusity CMS via unsanitized edit_post_id input in core/tools/posts.php.
Vulnerability
The vulnerability resides in the loadPostAddForm function of the file core/tools/posts.php in flusity CMS. The edit_post_id parameter from the GET request is directly echoed into a JavaScript context without sanitization or encoding. The affected code is at line 274: $edit_post_id = $_GET['edit_post_id']; echo "";. The commit 6943991c62ed87c7a57989a0cb7077316127def8 shows the fix using filter_input with FILTER_SANITIZE_NUMBER_INT and htmlspecialchars. Since flusity CMS uses rolling releases, specific affected versions are not enumerated, but any installation lacking this patch is vulnerable [1][2].
Exploitation
The attacker requires network access to the CMS backend. The attack is initiated by sending a crafted GET request to the vulnerable endpoint, for example: ?edit_post_id=3);. The attacker can use a browser or any HTTP client; no authentication is explicitly required to trigger the vulnerability, though typically the posts management page might require admin session. The payload is embedded directly in the response and executed in the victim's browser [2]. No user interaction beyond visiting the injected page is needed.
Impact
Successful exploitation leads to Cross-Site Scripting (XSS) in the context of the victim's session. The attacker can execute arbitrary JavaScript in the browser of any user who views the affected page. This can result in session hijacking, defacement, or redirection to malicious sites, potentially leading to complete compromise of the admin session. The CVSS score is not provided in the description, but the impact includes disclosure of sensitive information and partial compromise of integrity [1][2].
Mitigation
The issue is fixed by commit 6943991c62ed87c7a57989a0cb7077316127def8 in the flusity CMS repository [1]. Users should apply this patch by updating their installation to the latest rolling release that includes this commit. No workaround is provided in the references. The vulnerability is publicly disclosed and may be exploited, so immediate patching is recommended [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- flusity/CMSv5Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/flusity/flusity-CMS/commit/6943991c62ed87c7a57989a0cb7077316127def8mitrepatch
- github.com/flusity/flusity-CMS/issues/2mitreexploitissue-tracking
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.