CVE-2025-9429
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in mtons mblog up to 3.5.0. This vulnerability affects unknown code of the file /post/submit of the component Post Handler. The manipulation of the argument content/title/ leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-08-26
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9429
EUVD
EUVD-2025-25764
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mtons mblog to 3.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9429 is a stored Cross-Site Scripting (XSS) vulnerability in the mtons mblog application (up to version 3.5.0) affecting the /post/submit endpoint used for publishing blog posts. The vulnerability occurs because the user-controlled parameters 'title' and 'content' are not validated or sanitized, and the input is output on multiple frontend and admin panel pages without proper encoding or escaping. This allows attackers to inject malicious scripts that are stored on the server and executed in the browsers of users who view or manage the affected posts, leading to stored XSS attacks. [1, 2, 3, 4, 5]

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript in the context of users' browsers when they view or manage blog posts. The impact includes potential session hijacking, defacement of the website, or further exploitation of the application by executing malicious scripts. Since the malicious code is stored and executed persistently, it can affect multiple users including administrators, increasing the risk and scope of the attack. [3, 4, 5]

Detection Guidance

This vulnerability can be detected by submitting crafted HTTP POST requests to the /post/submit endpoint with malicious payloads in the title or content parameters and observing if the payload executes when viewing or editing posts. For example, using curl to submit a payload in the title parameter: curl -X POST http://<target>/post/submit -F 'title=1"><img src=1 onerror=alert(/Blog-Tile/)>'. Then, check the affected frontend or admin pages (e.g., /, /users/1, /admin/post/list) to see if the alert triggers, indicating stored XSS. Similarly, test with payloads in the content parameter. Monitoring HTTP traffic for suspicious POST requests to /post/submit with script tags or HTML injection attempts can also help detect exploitation attempts. [4, 5]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /post/submit endpoint to trusted users only, applying input validation and sanitization on the title and content parameters to block malicious scripts, and implementing output encoding/escaping on all pages rendering these parameters. Since no patches or countermeasures are currently available, consider disabling the vulnerable functionality or replacing the affected mblog version with a secure alternative. Additionally, monitor logs for suspicious activity and educate users about the risk of stored XSS. [3, 4, 5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9429. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart