CVE-2025-61413

CVE-2025-61413 is a stored cross-site scripting (XSS) vulnerability in Piranha CMS v12.0, specifically in the Markdown content block used by Standard Page and Standard Archive Page types [1][3]. The vulnerability is a bypass of a previous fix (CVE-2024-55341) that added DOMPurify sanitization; certain HTML/JS payloads still evade the filter [3].

An authenticated user can create or edit a page through the /manager/pages interface and insert a crafted payload into a Markdown block [1]. Proof-of-concept payloads such as an ` with a base64-encoded script or a element with an ontoggle` event handler have been demonstrated to bypass DOMPurify [3]. The malicious script is stored and executed both when the editor previews the page and when any user views the published page [3].

An attacker can execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session theft, defacement, or data exposure for both authenticated editors and unauthenticated public visitors [3].

As of the disclosure date, Piranha CMS has not released a patch for version 12.0 [3]. Administrators should restrict access to the manager interface and consider additional input validation or content security policies until an official fix is available.