CVE-2025-60869
HIGHPublii CMS v0.46.5 - Stored Cross-Site Scripting via Site Description and Footer Follow Buttons
Title source: llmDescription
Publii CMS v0.46.5 (build 17089) allows persistent Cross-Site Scripting (XSS) via unsanitized input in configuration fields such as "Site Description" and "Footer Follow Buttons". An attacker can inject arbitrary JavaScript, which is stored in the project and executed in the browsers of remote visitors viewing the generated static site.
References (2)
Core 2
Core References
Various Sources
https://getpublii.com/download/
Scores
CVSS v3
7.3
EPSS
0.0025
EPSS Percentile
15.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Published
Oct 10, 2025
Tracked Since
Feb 18, 2026