VYPR
← All advisories
Low severity2.4NVD Advisory· Published Mar 17, 2025· Updated Apr 15, 2026

CVE-2025-2366

CVE-2025-2366

Description

A vulnerability, which was classified as problematic, was found in gougucms 4.08.18. This affects the function add of the file /admin/department/add of the component Add Department Page. The manipulation of the argument title leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in gougucms 4.08.18 Add Department page via the title parameter allows arbitrary script execution.

Vulnerability

Description A stored cross-site scripting (XSS) vulnerability exists in gougucms version 4.08.18. The issue is in the /admin/department/add endpoint, where the title parameter is not properly sanitized before being stored in the database and later rendered on the page. This allows an attacker to inject malicious scripts.

Exploitation

To exploit this vulnerability, an attacker must be authenticated as an administrator. By sending a crafted POST request to /admin/department/add with a malicious payload in the title parameter, the script is stored and executed when the department list page is viewed. The attack can be launched remotely, and a proof-of-concept has been publicly disclosed [1].

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the admin session. This can result in session hijacking, defacement, or unauthorized actions.

Mitigation

The vendor was contacted but did not respond. As of the publication date, no official patch or workaround is available. Users should consider restricting access to the admin panel or upgrading if a fix becomes available.

References
  1. CVE-md/gougucms/gougucms_v4.08.18_XSS.md at main · caigo8/CVE-md

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.