A cross-site scripting (XSS) vulnerability was identified in FluentCMS 1.2.3. After logging in as an admin and navigating to the "Add Page" function, the application fails to properly sanitize input in the <head> section, allowing remote attackers to inject arbitrary script tags.
PUBLISHED5.2
Affected products
n/a - AFFECTED
References
github.com
https://github.com/fluentcms/FluentCMS/issues/2403
github.com
https://github.com/eoniboogie/CVE_Disclosures/blob/main/CVE-2025-67349/CVE-2025-67349.md
GitHub Security Advisories
GHSA-v82x-ghcg-c238
A cross-site scripting (XSS) vulnerability was identified in FluentCMS 1.2.3. After logging in as...
https://github.com/advisories/GHSA-v82x-ghcg-c238A cross-site scripting (XSS) vulnerability was identified in FluentCMS 1.2.3. After logging in as an admin and navigating to the "Add Page" function, the application fails to properly sanitize input in the section, allowing remote attackers to inject arbitrary script tags.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2025-67349Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2025-67349",
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"dateUpdated": "2025-12-26T16:31:58.460Z",
"dateReserved": "2025-12-08T00:00:00.000Z",
"datePublished": "2025-12-26T00:00:00.000Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre",
"dateUpdated": "2025-12-26T14:48:00.731Z"
},
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability was identified in FluentCMS 1.2.3. After logging in as an admin and navigating to the \"Add Page\" function, the application fails to properly sanitize input in the <head> section, allowing remote attackers to inject arbitrary script tags."
}
],
"affected": [
{
"vendor": "n/a",
"product": "n/a",
"versions": [
{
"version": "n/a",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "n/a",
"type": "text"
}
]
}
],
"references": [
{
"url": "https://github.com/fluentcms/FluentCMS/issues/2403"
},
{
"url": "https://github.com/eoniboogie/CVE_Disclosures/blob/main/CVE-2025-67349/CVE-2025-67349.md"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2025-12-26T16:31:58.460Z"
},
"title": "CISA ADP Vulnrichment",
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM"
}
},
{}
]
}
]
}
}