Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-dw5k-pce7-tkdb
Vulnerability ID VCID-dw5k-pce7-tkdb
Aliases CVE-2025-71177
GHSA-w7rq-fgx4-4xcm
Summary LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2025-71177
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2025-71177
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-w7rq-fgx4-4xcm
cvssv4 5.1 https://github.com/LavaLite/cms
generic_textual MODERATE https://github.com/LavaLite/cms
cvssv4 5.1 https://github.com/LavaLite/cms/issues/420
generic_textual MODERATE https://github.com/LavaLite/cms/issues/420
ssvc Track https://github.com/LavaLite/cms/issues/420
cvssv4 5.1 https://lavalite.org
generic_textual MODERATE https://lavalite.org
cvssv4 5.1 https://lavalite.org/
ssvc Track https://lavalite.org/
cvssv4 5.1 https://nvd.nist.gov/vuln/detail/CVE-2025-71177
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-71177
cvssv4 5.1 https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search
generic_textual MODERATE https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search
ssvc Track https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-71177
https://lavalite.org
420 https://github.com/LavaLite/cms/issues/420
CVE-2025-71177 https://nvd.nist.gov/vuln/detail/CVE-2025-71177
GHSA-w7rq-fgx4-4xcm https://github.com/advisories/GHSA-w7rq-fgx4-4xcm
lavalite-cms-stored-xss-via-package-creation-and-search https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search
lavalite.org https://lavalite.org/
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://github.com/LavaLite/cms
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://github.com/LavaLite/cms/issues/420
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-23T16:52:52Z/ Found at https://github.com/LavaLite/cms/issues/420
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://lavalite.org
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://lavalite.org/
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-23T16:52:52Z/ Found at https://lavalite.org/
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-71177
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Found at https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-23T16:52:52Z/ Found at https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search
Exploit Prediction Scoring System (EPSS)
Percentile 0.03016
EPSS Score 0.00015
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:16:37.345935+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/71xxx/CVE-2025-71177.json 38.6.0