CVE-2025-13182 MEDIUM

CVE-2025-13182: pojoin h3blog addtitle cross site scripting

Vendor Pojoin

Product h3blog

Weakness CWE-79 · XSS

Published November 14, 2025

Last update February 24, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was identified in pojoin h3blog 1.0. The impacted element is an unknown function of the file /admin/cms/category/addtitle. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used.

Key dates

02Disclosure timeline

November 14, 2025 CVE published

February 24, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-13182 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-8605 code-projects Inventory Management Registration Form registration.php cross site scripting CVE-2025-12473 RTMKit <= 1.6.8 - Reflected Cross-Site Scripting via 'themebuilder' Parameter CVE-2025-47578 WordPress BNS Twitter Follow Button plugin <= 0.3.8 - Cross Site Scripting (XSS) vulnerability CVE-2024-39665 WordPress Filter & Grids plugin <= 2.9.2 - Cross Site Scripting (XSS) vulnerability CVE-2025-0863 Flexmls® IDX <= 3.14.27 - Authenticated (Contributor+) Stored Cross-Site Scripting