High severity7.3NVD Advisory· Published Oct 10, 2025· Updated Apr 15, 2026

CVE-2025-60869

Description

Publii CMS v0.46.5 (build 17089) allows persistent Cross-Site Scripting (XSS) via unsanitized input in configuration fields such as "Site Description" and "Footer Follow Buttons". An attacker can inject arbitrary JavaScript, which is stored in the project and executed in the browsers of remote visitors viewing the generated static site.

Affected products

GetPublii/Publiiinferred
Range: =0.46.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

getpublii.com/download/nvd
gist.github.com/kasiasok/63f7dcc9c453857005066ee9738318a9nvd

News mentions

No linked articles in our index yet.

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000