CVE-2025-57520
Description
A Cross Site Scripting (XSS) vulnerability exists in Decap CMS thru 3.8.3. Input fields such as body, tags, title, and description are not properly sanitized before being rendered in the content preview pane. This enables an attacker to inject arbitrary JavaScript which executes whenever a user views the preview panel. The vulnerability affects multiple input vectors and does not require user interaction beyond viewing the affected content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Decap CMS <=3.8.3 improperly sanitizes preview fields, allowing stored XSS that executes when an admin views content.
Vulnerability
Overview A stored cross-site scripting (XSS) vulnerability has been discovered in Decap CMS through version 3.8.3. The root cause is insufficient sanitization of user-supplied input in multiple content fields—including body, tags, title, and description—before they are rendered in the content preview pane [1][3].
Exploitation
An attacker with low-level contributor or editor privileges can craft a malicious entry containing JavaScript payloads (e.g., ``) in any of the vulnerable fields. The payload is stored in the CMS and triggers automatically whenever a privileged user, such as an admin, opens that entry in the preview panel [3]. No additional user interaction is required beyond viewing the infected content [1].
Impact
Successful exploitation allows arbitrary JavaScript execution in the browser context of the victim administrator. This can lead to session hijacking, credential theft, content defacement, or injection of backdoors into the generated static site output [3]. Because the vulnerability affects multiple input vectors, an attacker has considerable flexibility in choosing which field to poison.
Mitigation
As of this writing, no official patch has been released for the vulnerability. Users of Decap CMS versions 3.8.3 or earlier are advised to restrict access to the editor panel to trusted users only, or to implement a web application firewall (WAF) rule that filters common XSS payloads in the affected fields [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
decap-cmsnpm | <= 3.8.3 | — |
Affected products
2- Decap/CMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-xp8g-32qh-mv28ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-57520ghsaADVISORY
- onurcangenc.com.tr/posts/cve-2025-57520--stored-xss-in-decap-cms-3-8-3ghsaWEB
- onurcangenc.com.tr/blog/decap-cms-xss-analysismitre
- onurcangenc.com.tr/posts/cve-2025-57520--stored-xss-in-decap-cms-3-8-3/mitre
News mentions
0No linked articles in our index yet.