CVE-2025-10940 MEDIUM

CVE-2025-10940: Total.js CMS Layout admin layouts_save cross site scripting

Vendor Total.js
Product CMS
Weakness CWE-79 · XSS
Published September 25, 2025
Last update September 25, 2025
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was found in Total.js CMS 1.0.0. Affected by this vulnerability is the function layouts_save of the file /admin/ of the component Layout Page. Performing manipulation of the argument HTML results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

September 25, 2025 CVE published
September 25, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-33742 Invoice Ninja has Stored XSS via Markdown HTML Injection in Product Notes CVE-2025-69343 WordPress Theater for WordPress plugin <= 0.19 - Cross Site Scripting (XSS) vulnerability CVE-2024-49631 WordPress Easy Addons for Elementor plugin <= 1.5.0 - Cross Site Scripting (XSS) vulnerability CVE-2024-51896 WordPress Magic Slider plugin <= 1.3 - Stored Cross Site Scripting (XSS) vulnerability CVE-2025-15144 dayrui XunRuiCMS JSONP Callback Init.php dr_exit_msg cross site scripting