Description
A stored Cross-Site Scripting (XSS) vulnerability exists in Perch CMS version 3.2. An authenticated attacker with administrative privileges can inject malicious JavaScript code into the “Help button url” setting within the admin panel. The injected payload is stored and executed when any authenticated user clicks the Help button, potentially leading to session hijacking, information disclosure, privilege escalation, and unauthorized administrative actions.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://github.com/mertdurum06/Perch-v3.2/blob/main/Perch%20v3.2_Poc.txt
Scores
CVSS v3
6.1
EPSS
0.0007
EPSS Percentile
20.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
grabaperch/perch
3.2
Published
Jan 07, 2026
Tracked Since
Feb 18, 2026