CVE-2025-71177 MEDIUM

CVE-2025-71177: LavaLite CMS <= 10.1.0 Stored XSS via Package Creation and Search

Vendor Lavalite
Product LavaLite CMS
Weakness CWE-79 · XSS
Published January 23, 2026
Last update March 5, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim.

Key dates

02Disclosure timeline

January 23, 2026 CVE published
March 5, 2026 Record updated