CVE-2025-57520

MEDIUM

Decap CMS < 3.8.3 - Stored Cross-Site Scripting in Content Preview Pane

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-57520. PoCs published by onurcangnc.

AI-analyzed exploit summary This repository contains a writeup detailing a stored XSS vulnerability (CVE-2025-57520) in Decap CMS versions up to 3.8.3. The vulnerability allows arbitrary JavaScript execution in the admin interface via malicious input in fields like title, tags, description, or body.

Description

A Cross Site Scripting (XSS) vulnerability exists in Decap CMS thru 3.8.3. Input fields such as body, tags, title, and description are not properly sanitized before being rendered in the content preview pane. This enables an attacker to inject arbitrary JavaScript which executes whenever a user views the preview panel. The vulnerability affects multiple input vectors and does not require user interaction beyond viewing the affected content.

Exploits (1)

nomisec WRITEUP
by onurcangnc · poc
https://github.com/onurcangnc/CVE-2025-57520-Stored-XSS-in-Decap-CMS-3.8.3-

This repository contains a writeup detailing a stored XSS vulnerability (CVE-2025-57520) in Decap CMS versions up to 3.8.3. The vulnerability allows arbitrary JavaScript execution in the admin interface via malicious input in fields like title, tags, description, or body.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Decap CMS <= 3.8.3
Auth required
Prerequisites: Access to a contributor/editor account · Ability to create or edit content entries
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 6.1
EPSS 0.0002
EPSS Percentile 5.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
npm/decap-cms 0npm
techhub.p-m/decap_cms < 3.8.3
Published Sep 10, 2025
Tracked Since Feb 18, 2026