CVE-2025-25460

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-25460
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25460.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-25460
Published
2025-02-24T16:15:14.873Z
Modified
2026-04-10T05:23:17.113570Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

A stored Cross-Site Scripting (XSS) vulnerability was identified in FlatPress 1.3.1 within the "Add Entry" feature. This vulnerability allows authenticated attackers to inject malicious JavaScript payloads into blog posts, which are executed when other users view the posts. The issue arises due to improper input sanitization of the "TextArea" field in the blog entry submission form.

References

Affected packages

Git / github.com/flatpressblog/flatpress

Affected ranges

Type
GIT
Repo
https://github.com/flatpressblog/flatpress
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
e3525112643d83f1d96b87f5d209bd9de8d78330
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.3.1"
        }
    ]
}

Affected versions

1.*
1.1
1.2
1.2.1
1.2.beta1
1.2.beta2
1.3
1.3.1
1.3.beta1
1.3.rc1
v1.*
v1.0.2
v1.0.3
v1.0.3.php7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25460.json"