CVE-2025-3806

The vulnerability is a stored cross-site scripting (XSS) issue in lecms versions up to 3.0.3. It resides in the /admin Edit Profile Handler, where user profile updates fail to sanitize input. Reference [1] demonstrates that inserting an XSS payload into the edit profile page leads to persistent JavaScript execution.

An authenticated attacker with administrative access can exploit the vulnerability by navigating to /admin > User Management > Edit, then inserting a crafted payload such as `` into the profile field and submitting the form. Subsequently, when an administrator visits Content Management > Tag Management > Add and then views the created tag, the injected script executes in the browser context.

Successful exploitation allows the attacker to execute arbitrary JavaScript within the admin panel, potentially compromising session cookies, performing actions on behalf of the victim, or defacing the administrative interface. The CVSS score of 2.4 indicates low impact due to the requirement of authenticated access and limited scope (user interaction required).

As of publication, no official patch has been released. Users are advised to restrict admin panel access, apply input validation, or upgrade to a patched version if available. The vulnerability has been publicly disclosed, increasing the risk of exploitation.