LavaLite CMS Stored XSS via Package Creation and Search (CVE-2025-71177)

Author: Beatriz Fresno Naumova (beafn28), abigowl

Date: 22/01/2026

Vendor: LavaLite

Product: LavaLite CMS

Versions affected: ≤ 10.1.0

Component: Package creation and search functionality

CWE: CWE-79 – Improper Neutralization of Input During Web Page Generation (XSS)

Attack type: Remote

Impact: Stored Cross-Site Scripting (XSS)

Description

LavaLite CMS versions up to and including 10.1.0 are affected by a stored Cross-Site Scripting (XSS) vulnerability in the package creation and search functionality.

Authenticated users can supply crafted HTML or JavaScript payloads in the Name or Description fields when creating a package. This input is stored without proper context-aware output encoding and later rendered in package search results.

When other users view search results containing the malicious package, the injected script executes in their browser, allowing arbitrary JavaScript execution within the context of the victim.

This vulnerability may be abused to compromise user sessions or perform unauthorized actions on behalf of affected users.

Impact

Primary impact

Execution of arbitrary JavaScript in the victim’s browser session

Consequences

Session hijacking
Credential theft
Unauthorized actions performed on behalf of the victim
Potential compromise of user trust and application integrity

CVSS Details

CVSS v4.0 Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Base Score: 5.1 (Medium)

Solution

No official fix was available at the time of disclosure.

Recommendation

Apply strict context-aware output encoding when rendering user-controlled input
Sanitize and validate the Name and Description fields during package creation
Avoid rendering raw HTML or JavaScript supplied by authenticated users
Conduct regular security reviews of content creation and search functionalities

Mitigation

Encode all user-supplied input before storing or rendering it in HTML contexts
Implement server-side validation to restrict dangerous characters and payloads
Apply Content Security Policy (CSP) headers to reduce the impact of potential XSS vulnerabilities

Discoverer

Beatriz Fresno Naumova (beafn28)
abigowl

References

CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-71177
VulnCheck Advisory: https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search
Vendor Website: https://lavalite.org/

PreviousPoC - CVE-2025-10370 (RPi-Jukebox-RFID 2.8.0) - Stored Cross-Site Scripting (XSS)NextPoC - CVE-2024-23334 (aiohttp ≤ 3.9.1) - Directory Traversal via follow_symlinks

Last updated 21 hours ago

hashtagDescription

hashtagImpact

hashtagPrimary impact

hashtagConsequences

hashtagCVSS Details

hashtagSolution

hashtagRecommendation

hashtagMitigation

hashtagDiscoverer

hashtagReferences