CVE-2025-64049

MEDIUM

REDAXO CMS 5.20.0 - Stored Cross-Site Scripting via Module Output Code Field

Title source: llm
STIX 2.1

Description

A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. The payload is executed when a user views or edits an article by adding slice that uses the compromised module.

Scores

CVSS v3 4.8
EPSS 0.0026
EPSS Percentile 17.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
redaxo/redaxo 5.20.0
redaxo/source 0 - 5.20.1Packagist
Published Nov 25, 2025
Tracked Since Feb 18, 2026