CVE-2025-57692

Vulnerability

Overview

Piranha CMS 12.0 is vulnerable to a stored cross-site scripting (XSS) flaw in the Text content block of Standard Page and Standard Archive Page types [1][2]. The vulnerability arises because the application does not properly sanitize user-supplied HTML when adding text content via the page editor [2]. An authenticated user who can edit pages can inject malicious scripts that persist with the page content and execute automatically when the page is accessed or previewed [2].

Attack

Vector

An attacker who has authenticated access to the Piranha CMS admin panel can exploit the vulnerability by navigating to /manager/pages, adding a new page (Standard Page or Standard Archive), and inserting a crafted HTML payload into the Text content block [2]. Validated proof-of-concept payloads include `, , and ` tag event handlers that trigger JavaScript execution on save and upon every subsequent view [2]. No additional user interaction is required beyond visiting the compromised page [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the CMS manager interface for any other user who views the affected page [1][2]. This can lead to theft of sensitive session data (cookies, local/session storage), account takeover, or unauthorized actions within the admin panel [2]. In shared administrative environments, the risk is heightened as every editor who previews or navigates to the infected page is automatically affected [2].

Mitigation

As of the publication date, no patched version of Piranha CMS has been released for this issue [1][2]. The vendor repository indicates that version 12.0 is the affected release [3][4]. Users should apply input sanitization on the Text block content, restrict access to the manager interface, and monitor for vendor updates or workarounds [2].