CVE-2025-60869

HIGH

Publii CMS v0.46.5 - Stored Cross-Site Scripting via Site Description and Footer Follow Buttons

Title source: llm
STIX 2.1

Description

Publii CMS v0.46.5 (build 17089) allows persistent Cross-Site Scripting (XSS) via unsanitized input in configuration fields such as "Site Description" and "Footer Follow Buttons". An attacker can inject arbitrary JavaScript, which is stored in the project and executed in the browsers of remote visitors viewing the generated static site.

References (2)

Core 2

Scores

CVSS v3 7.3
EPSS 0.0025
EPSS Percentile 15.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Published Oct 10, 2025
Tracked Since Feb 18, 2026