NuGet package
piranha
pkg:nuget/piranha
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-67291 | — | <= 12.0.0 | — | Dec 22, 2025 | A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field. | ||
| CVE-2025-67290 | — | <= 12.0.0 | — | Dec 22, 2025 | A stored cross-site scripting (XSS) vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field. | ||
| CVE-2025-61413 | — | <= 12.0.0 | — | Oct 23, 2025 | A stored cross-site scripting (XSS) vulnerability in the /manager/pages component of Piranha CMS v12.0 allows attackers to execute arbitrary web scripts or HTML via creating a page and injecting a crafted payload into the Markdown blocks. | ||
| CVE-2025-57692 | — | <= 12.0 | — | Sep 26, 2025 | PiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, enabling execution of arbitrary JavaScript in another user s browser. | ||
| CVE-2024-55342 | — | <= 11.1.0 | — | Dec 20, 2024 | A file upload functionality in Piranha CMS 11.1 allows authenticated remote attackers to upload a crafted PDF file to /manager/media. This PDF can contain malicious JavaScript code, which is executed when a victim user opens or interacts with the PDF in their web browser, leading | ||
| CVE-2024-55341 | — | <= 11.1.0 | — | Dec 20, 2024 | A stored cross-site scripting (XSS) vulnerability in Piranha CMS 11.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by creating a page via the /manager/pages and then adding a markdown content with the XSS payload. | ||
| CVE-2021-25976 | — | >= 4.0.0-alpha1, < 10.0-alpha1 | 10.0-alpha1 | Nov 16, 2021 | In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known. | ||
| CVE-2021-25977 | — | >= 7.0.0, < 9.2.0 | 9.2.0 | Oct 25, 2021 | In PiranhaCMS, versions 7.0.0 to 9.1.1 are vulnerable to stored XSS due to the page title improperly sanitized. By creating a page with a specially crafted page title, a low privileged user can trigger arbitrary JavaScript execution. |
- CVE-2025-67291Dec 22, 2025affected <= 12.0.0
A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field.
- CVE-2025-67290Dec 22, 2025affected <= 12.0.0
A stored cross-site scripting (XSS) vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field.
- CVE-2025-61413Oct 23, 2025affected <= 12.0.0
A stored cross-site scripting (XSS) vulnerability in the /manager/pages component of Piranha CMS v12.0 allows attackers to execute arbitrary web scripts or HTML via creating a page and injecting a crafted payload into the Markdown blocks.
- CVE-2025-57692Sep 26, 2025affected <= 12.0
PiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, enabling execution of arbitrary JavaScript in another user s browser.
- CVE-2024-55342Dec 20, 2024affected <= 11.1.0
A file upload functionality in Piranha CMS 11.1 allows authenticated remote attackers to upload a crafted PDF file to /manager/media. This PDF can contain malicious JavaScript code, which is executed when a victim user opens or interacts with the PDF in their web browser, leading
- CVE-2024-55341Dec 20, 2024affected <= 11.1.0
A stored cross-site scripting (XSS) vulnerability in Piranha CMS 11.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by creating a page via the /manager/pages and then adding a markdown content with the XSS payload.
- CVE-2021-25976Nov 16, 2021affected >= 4.0.0-alpha1, < 10.0-alpha1fixed 10.0-alpha1
In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known.
- CVE-2021-25977Oct 25, 2021affected >= 7.0.0, < 9.2.0fixed 9.2.0
In PiranhaCMS, versions 7.0.0 to 9.1.1 are vulnerable to stored XSS due to the page title improperly sanitized. By creating a page with a specially crafted page title, a low privileged user can trigger arbitrary JavaScript execution.