CVE-2025-15540 HIGH

CVE-2025-15540: Authenticated RCE in Raytha CMS

Vendor Raytha
Product Raytha
Weakness CWE-94 · Code injection
Published March 16, 2026
Last update March 16, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

What the vulnerability does

01Description

"Functions" module in Raytha CMS allows privileged users to write custom code to add functionality to application. Due to a lack of sandboxing or access restrictions, JavaScript code executed through Raytha’s “functions” feature can instantiate .NET components and perform arbitrary operations within the application’s hosting environment. This issue was fixed in version 1.4.6.

Key dates

02Disclosure timeline

March 16, 2026 CVE published
March 16, 2026 Record updated

Related vulnerabilities

04Related CVE