Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/lavalite/cms@10.1.1
purl pkg:composer/lavalite/cms@10.1.1
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-2pge-9wmk-a7hg Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL. CVE-2024-31828
GHSA-5hcr-g32p-h74c
VCID-dw5k-pce7-tkdb LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim. CVE-2025-71177
GHSA-w7rq-fgx4-4xcm

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-12T20:51:37.254601+00:00 GitLab Importer Fixing VCID-dw5k-pce7-tkdb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/lavalite/cms/CVE-2025-71177.yml 38.6.0
2026-06-12T19:26:44.045807+00:00 GitLab Importer Fixing VCID-2pge-9wmk-a7hg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/lavalite/cms/CVE-2024-31828.yml 38.6.0