CVE-2025-46041

MEDIUM

Anchor CMS 0.12.7 - Stored Cross-Site Scripting via Page Description Field

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-46041. PoCs published by /bin/neko, binneko.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Anchor CMS v0.12.7, where an authenticated user can inject arbitrary JavaScript into the `markdown` field of the page creation interface, leading to script execution when the page is viewed.

Description

A stored cross-site scripting (XSS) vulnerability in Anchor CMS v0.12.7 allows attackers to inject malicious JavaScript via the page description field in the page creation interface (/admin/pages/add).

Exploits (2)

exploitdb WORKING POC

by /bin/neko · textwebappsphp

https://www.exploit-db.com/exploits/52327

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Anchor CMS v0.12.7, where an authenticated user can inject arbitrary JavaScript into the `markdown` field of the page creation interface, leading to script execution when the page is viewed.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Anchor CMS v0.12.7

Auth required

Prerequisites: Authenticated access to the Anchor CMS admin panel · Page creation privileges

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by binneko · poc

https://github.com/binneko/CVE-2025-46041

View Code ZIP pw:eip

This repository contains a writeup detailing a Stored XSS vulnerability in Anchor CMS v0.12.7, where malicious JavaScript can be injected into the `description` field of the page creation interface. The PoC demonstrates execution via an alert payload.

Classification

Writeup 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Anchor CMS v0.12.7

Auth required

Prerequisites: Admin or editor access to Anchor CMS

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Broken Link

http://anchor.com

Exploit, Third Party Advisory

https://github.com/binneko/CVE-2025-46041

Scores

CVSS v3 5.4

EPSS 0.0063

EPSS Percentile 70.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

anchorcms/anchor_cms 0.12.7

Published Jun 09, 2025

Tracked Since Feb 18, 2026