Home > Vulnerability Database > CVE-2025-71177

Mend.io Vulnerability Database

CVE-2025-71177

Good to know:

Date: January 23, 2026

LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim.

Severity Score

5.4

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-71177

Url: https://github.com/LavaLite/cms

Url: https://github.com/LavaLite/cms/issues/420

Url: https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search

Url: https://lavalite.org

Url: https://lavalite.org/

Url: https://www.mend.io/vulnerability-database/CVE-2025-71177

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-71177

Good to know:

Date: January 23, 2026

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?