VYPR
← All advisories
Medium severity4.8NVD Advisory· Published Jul 28, 2025· Updated Apr 15, 2026

CVE-2025-27800

CVE-2025-27800

Description

The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser.

The Admin dashboard offered the functionality to add gadgets to the dashboard. This included the "Notes" gadget. An authenticated attacker with the corresponding access rights (such as "WebAdmin") that was impersonating the victim could insert malicious JavaScript code in these notes that would be executed if the victim visited the dashboard.

Affected products: Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5), Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Optimizely Episerver CMS Admin Dashboard Notes gadget allows authenticated attackers to execute malicious JavaScript in victim's browser.

Vulnerability

Overview CVE-2025-27800 is a stored cross-site scripting (XSS) vulnerability in the Optimizely Episerver CMS, affecting versions 11.X and 12.X of the EPiServer.CMS.Core and EPiServer.CMS.UI packages [3]. The issue resides in the Admin Dashboard's "Notes" gadget, where an authenticated attacker with "WebAdmin" rights can inject malicious JavaScript code.

Exploitation

An attacker must have valid authentication and the necessary access rights (e.g., "WebAdmin") to add or edit notes on the dashboard. By impersonating the victim, the attacker inserts malicious JavaScript into a note. When the victim visits the dashboard, the script executes in their browser [3]. No user interaction beyond viewing the dashboard is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, data theft, or further actions within the CMS [3]. The vulnerability is rated medium severity with a CVSS v3 score of 4.8.

Mitigation

Optimizely has released patched versions: for version 11.X, EPiServer.CMS.Core 11.21.4 and EPiServer.CMS.UI 11.37.5; for version 12.X, EPiServer.CMS.Core 12.22.1 and EPiServer.CMS.UI 11.37.3 [1][2]. It is recommended to update these packages immediately [3].

References
  1. EPiServer.CMS.Core 11.21.4 - Optimizely Nuget
  2. EPiServer.CMS.Core 12.22.1 - Optimizely Nuget
  3. Multiple Stored Cross-Site Scripting Vulnerabilities in Optimizely Episerver Content Management System

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.