CVE-2025-15540

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-15540
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-15540.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-15540
Published
2026-03-16T14:17:55.953Z
Modified
2026-04-02T12:33:21.290880Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

"Functions" module in Raytha CMS allows privileged users to write custom code to add functionality to application. Due to a lack of sandboxing or access restrictions, JavaScript code executed through Raytha’s “functions” feature can instantiate .NET components and perform arbitrary operations within the application’s hosting environment.

This issue was fixed in version 1.4.6.

References

Affected packages

Git / github.com/raythahq/raytha

Affected ranges

Type
GIT
Repo
https://github.com/raythahq/raytha
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
79001db259d130ac8669da4a59877227c465c344
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.4.6"
        }
    ]
}

Affected versions

v0.*
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-15540.json"