CVE-2025-71177
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-23

Last updated on: 2026-01-29

Assigner: VulnCheck

Description
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-01-29
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-71177
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lavalite lavalite to 10.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-71177 is a stored cross-site scripting (XSS) vulnerability in LavaLite CMS versions up to 10.1.0. Authenticated users can inject malicious HTML or JavaScript code into the 'Name' or 'Description' fields when creating packages. This malicious code is stored and later executed in the browsers of other users who view the package search results, leading to potential session hijacking, credential theft, and unauthorized actions within the victim's context. [2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in your browser when viewing package search results. This can lead to session hijacking, theft of credentials, defacement, or unauthorized actions performed on your behalf within the affected web application. [2, 3]

Detection Guidance

This vulnerability can be detected by searching for stored malicious scripts in the 'Name' or 'Description' fields of packages within the LavaLite CMS. For example, you can perform a search query for suspicious script tags like <script> in the package search functionality. Since the vulnerability involves stored cross-site scripting, inspecting package entries for injected JavaScript code is key. There are no specific commands provided in the resources, but manual inspection or automated scanning of package data for script tags or suspicious HTML/JavaScript content in these fields is recommended. [2, 3]

Mitigation Strategies

Immediate mitigation steps include restricting or reviewing authenticated user input in the package creation process, especially in the 'Name' and 'Description' fields, to prevent injection of malicious scripts. Applying proper output encoding or sanitization on these fields before rendering search results is critical. Since no official patch or mitigation details are provided, limiting user privileges, monitoring package content for suspicious scripts, and educating users about the risk can help reduce exposure until a fix is available. [2, 3]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71177. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart