# LavaLite CMS Stored XSS via Package Creation and Search (CVE-2025-71177) **Author:** Beatriz Fresno Naumova (beafn28), abigowl **Date:** 22/01/2026 **Vendor:** LavaLite **Product:** LavaLite CMS **Versions affected:** ≤ 10.1.0 **Component:** Package creation and search functionality **CWE:** CWE-79 – Improper Neutralization of Input During Web Page Generation (XSS) **Attack type:** Remote **Impact:** Stored Cross-Site Scripting (XSS) ### Description LavaLite CMS versions up to and including **10.1.0** are affected by a **stored Cross-Site Scripting (XSS)** vulnerability in the **package creation and search functionality**. Authenticated users can supply crafted **HTML or JavaScript payloads** in the **Name** or **Description** fields when creating a package. This input is stored without proper context-aware output encoding and later rendered in **package search results**. When other users view search results containing the malicious package, the injected script executes in their browser, allowing arbitrary JavaScript execution within the context of the victim. This vulnerability may be abused to compromise user sessions or perform unauthorized actions on behalf of affected users. ### Impact #### Primary impact * Execution of arbitrary JavaScript in the victim’s browser session #### Consequences * Session hijacking * Credential theft * Unauthorized actions performed on behalf of the victim * Potential compromise of user trust and application integrity ### CVSS Details **CVSS v4.0 Vector:** `CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N` **Base Score:** 5.1 (Medium) ### Solution No official fix was available at the time of disclosure. ### Recommendation * Apply strict context-aware output encoding when rendering user-controlled input * Sanitize and validate the **Name** and **Description** fields during package creation * Avoid rendering raw HTML or JavaScript supplied by authenticated users * Conduct regular security reviews of content creation and search functionalities ### Mitigation * Encode all user-supplied input before storing or rendering it in HTML contexts * Implement server-side validation to restrict dangerous characters and payloads * Apply Content Security Policy (CSP) headers to reduce the impact of potential XSS vulnerabilities ### Discoverer * Beatriz Fresno Naumova (beafn28) * abigowl ### References * **CVE Record:** * **VulnCheck Advisory:** * **Vendor Website:** *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://beafn28.gitbook.io/beafn28/cve-and-poc/lavalite-cms-stored-xss-via-package-creation-and-search-cve-2025-71177.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.