Stored Cross-Site Scripting (XSS) in Mezzanine CMS Admin Interface
Description
Mezzanine CMS, in versions prior to 6.1.1, contains a Stored Cross-Site Scripting (XSS) vulnerability in the admin interface. The vulnerability exists in the "displayable_links_js" function, which fails to properly sanitize blog post titles before including them in JSON responses served via "/admin/displayable_links.js". An authenticated admin user can create a blog post with a malicious JavaScript payload in the title field, then trick another admin user into clicking a direct link to the "/admin/displayable_links.js" endpoint, causing the malicious script to execute in their browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Mezzanine CMS <6.1.1 lets an admin inject JavaScript via blog post titles; fixed in 6.1.1.
Vulnerability
CVE-2025-6050 is a stored cross-site scripting (XSS) vulnerability in Mezzanine CMS versions prior to 6.1.1. The flaw exists in the displayable_links_js function, which constructs a JSON response for the /admin/displayable_links.js endpoint. Blog post titles are included in this response without proper sanitization, allowing an authenticated admin to inject malicious JavaScript into the title field [1][4].
Exploitation
To exploit the vulnerability, an admin user creates a blog post with a crafted JavaScript payload in the title. Another admin must then visit the /admin/displayable_links.js endpoint directly, causing the payload to execute in their browser [1]. The attack requires both authenticated admin users and social engineering to trick a victim admin into accessing the endpoint.
Impact
Successful exploitation allows the attacker's script to run in the context of the victim admin's session. This could lead to unauthorized actions within the admin interface, such as modifying content, creating new admin accounts, or exfiltrating sensitive data [1]. The risk is limited to admin users but undermines the trust and security of the admin panel.
Mitigation
The issue has been fixed in Mezzanine version 6.1.1 by applying Django's escape() function to sanitize the title value [1][4]. Users should upgrade to version 6.1.1 or later. The vulnerability is considered low severity as it requires admin privileges to exploit [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
MezzaninePyPI | < 6.1.1 | 6.1.1 |
Affected products
2- Range: <6.1.1
- jupo/mezzaninev5Range: 0.1
Patches
1898630d8df48fix: [security] fix XSS in admin
1 file changed · +2 −1
mezzanine/core/views.py+2 −1 modified@@ -14,6 +14,7 @@ from django.template.loader import get_template from django.template.response import TemplateResponse from django.urls import reverse +from django.utils.html import escape from django.utils.translation import gettext_lazy as _ from django.views.decorators.csrf import requires_csrf_token @@ -175,7 +176,7 @@ def displayable_links_js(request): # case of Page subclasses, we just use "Page", and then sort the items # by whether they're a Page subclass or not, then by their URL. for url, obj in Displayable.objects.url_map(for_user=request.user).items(): - title = getattr(obj, "titles", obj.title) + title = escape(getattr(obj, "titles", obj.title)) real = hasattr(obj, "id") page = is_page(obj) if real:
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-7pr5-w74r-jjj7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-6050ghsaADVISORY
- advisory.checkmarx.net/advisory/CVE-2025-6050ghsaWEB
- github.com/stephenmcd/mezzanine/commit/898630d8df48cf3ddb8b9942f59168b93216e3f8ghsaWEB
- https//github.com/stephenmcd/mezzanine/commit/898630d8df48cf3ddb8b9942f59168b93216e3f8ghsaWEB
- advisory.checkmarx.net/advisory/CVE-2025-6050/mitre
News mentions
0No linked articles in our index yet.