CVE-2025-60869
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-10

Last updated on: 2025-10-14

Assigner: MITRE

Description
Publii CMS v0.46.5 (build 17089) allows persistent Cross-Site Scripting (XSS) via unsanitized input in configuration fields such as "Site Description" and "Footer Follow Buttons". An attacker can inject arbitrary JavaScript, which is stored in the project and executed in the browsers of remote visitors viewing the generated static site.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-10
Last Modified
2025-10-14
Generated
2026-06-16
AI Q&A
2025-10-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-60869
EUVD
EUVD-2025-33728
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
publii cms 0.46.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-60869 is a persistent Cross-Site Scripting (XSS) vulnerability in Publii CMS version 0.46.5 (build 17089). It occurs because certain configuration fields, such as 'Site Description' and social media link fields in the footer, do not properly sanitize or validate user input. An attacker with write access to these fields can inject malicious JavaScript code, which is then stored and embedded into the generated static site. When visitors view the affected site and interact with infected elements like social media buttons, the malicious script executes in their browsers. [2]

Impact Analysis

This vulnerability can lead to high confidentiality and integrity risks. The injected JavaScript can execute arbitrary actions in the browsers of site visitors, such as stealing cookies or session tokens, performing phishing attacks, keylogging, or loading malicious external resources. This compromises user data and trust. However, availability of the site is not affected. [2]

Detection Guidance

This vulnerability can be detected by inspecting the configuration fields in the Publii CMS admin panel, specifically the "Site Description" and social media link fields under theme -> custom settings -> footer. Look for any injected JavaScript code such as <script> tags in these fields. Additionally, you can examine the generated static site HTML files for embedded malicious scripts in the footer section. There are no specific network commands provided, but manual inspection or automated scanning of these configuration fields and generated HTML files for suspicious script tags is recommended. [2]

Mitigation Strategies

Immediate mitigation steps include restricting write access to the configuration fields to trusted users only, as the vulnerability requires admin panel access to inject malicious code. Review and sanitize all inputs in the configuration fields to ensure no executable JavaScript can be saved. If possible, update or patch Publii CMS to a version that properly validates and sanitizes these inputs. Additionally, manually remove any suspicious scripts found in the configuration fields or generated HTML files to prevent execution in visitors' browsers. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60869. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart