A weakness has been identified in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The impacted element is the function userLogin of the file src/main/java/com/flycms/web/front/UserController.java of the component User Login. Executing manipulation of the argument redirectUrl can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
PUBLISHED5.2CWE-79CWE-94
sunkaifei FlyCMS User Login UserController.java userLogin cross site scripting
Problem type
Affected products
sunkaifei
FlyCMS
abbaa5a8daefb146ad4d61027035026b052cb414 - AFFECTED
References
VDB-338423 | sunkaifei FlyCMS User Login UserController.java userLogin cross site scripting
https://vuldb.com/?id.338423
VDB-338423 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/?ctiid.338423
Submit #708997 | sunkaifei FlyCms <=1.0.0 XSS
https://vuldb.com/?submit.708997
github.com
https://github.com/sunkaifei/FlyCms/issues/16
GitHub Security Advisories
GHSA-hg49-2rqm-p9hf
A weakness has been identified in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414...
https://github.com/advisories/GHSA-hg49-2rqm-p9hfA weakness has been identified in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The impacted element is the function userLogin of the file src/main/java/com/flycms/web/front/UserController.java of the component User Login. Executing manipulation of the argument redirectUrl can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2025-15094Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2025-15094",
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"dateUpdated": "2025-12-26T19:32:41.210Z",
"dateReserved": "2025-12-25T12:53:54.953Z",
"datePublished": "2025-12-26T01:32:06.271Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB",
"dateUpdated": "2025-12-26T01:32:06.271Z"
},
"title": "sunkaifei FlyCMS User Login UserController.java userLogin cross site scripting",
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The impacted element is the function userLogin of the file src/main/java/com/flycms/web/front/UserController.java of the component User Login. Executing manipulation of the argument redirectUrl can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"affected": [
{
"vendor": "sunkaifei",
"product": "FlyCMS",
"modules": [
"User Login"
],
"versions": [
{
"version": "abbaa5a8daefb146ad4d61027035026b052cb414",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Cross Site Scripting",
"cweId": "CWE-79",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "Code Injection",
"cweId": "CWE-94",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://vuldb.com/?id.338423",
"name": "VDB-338423 | sunkaifei FlyCMS User Login UserController.java userLogin cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
]
},
{
"url": "https://vuldb.com/?ctiid.338423",
"name": "VDB-338423 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
]
},
{
"url": "https://vuldb.com/?submit.708997",
"name": "Submit #708997 | sunkaifei FlyCms <=1.0.0 XSS",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://github.com/sunkaifei/FlyCms/issues/16",
"tags": [
"exploit",
"issue-tracking"
]
}
],
"metrics": [
{},
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"baseScore": 4.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV3_0": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"baseScore": 4.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV2_0": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"baseScore": 5
}
}
],
"timeline": [
{
"time": "2025-12-25T00:00:00.000Z",
"lang": "en",
"value": "Advisory disclosed"
},
{
"time": "2025-12-25T01:00:00.000Z",
"lang": "en",
"value": "VulDB entry created"
},
{
"time": "2025-12-25T13:59:01.000Z",
"lang": "en",
"value": "VulDB entry last update"
}
],
"credits": [
{
"lang": "en",
"value": "ZAST.AI (VulDB User)",
"type": "reporter"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2025-12-26T19:32:41.210Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}