CVE-2025-71177
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk10th percentile - higher than 10% of all known CVEs
Summary
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can inject malicious HTML or JavaScript into the Name or Description fields, which is stored and later rendered without proper output encoding in search results. When other users view these results, the script executes in their browsers.
Risk Assessment
The risk includes session hijacking, credential theft, and unauthorized actions in the victim's context, potentially compromising data confidentiality and integrity within the CMS.
Recommendation
Immediately upgrade LavaLite CMS to a version newer than 10.1.0 that includes the fix. Until then, restrict package creation privileges to trusted users and implement input filtering and output encoding for the Name and Description fields.
Original NVD description (English source)
LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim.

