CVE-2025-66026
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-66026
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66026.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-66026
- Aliases
- Published
- 2025-11-26T02:01:44.814Z
- Modified
- 2025-11-28T03:16:03.499984Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- REDAXO is Vulnerable to Reflected XSS in Mediapool Info Banner via args[types]
- Details
-
REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. This issue has been patched in version 5.20.1.
- Database specific
{ "cwe_ids": [ "CWE-79" ] }- References
Affected packages
Git / github.com/redaxo/redaxo
Affected ranges
- Type
- GIT
- Repo
- https://github.com/redaxo/redaxo
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
5.*
5.0.0
5.0.0-alpha7
5.0.0-beta1
5.0.0-beta2
5.0.0-rc
5.0.1
5.1.0
5.10.0
5.10.0-beta1
5.10.0-beta2
5.10.1
5.11.0
5.11.0-beta1
5.11.1
5.11.2
5.12.0
5.12.0-beta1
5.12.0-beta2
5.12.0-beta3
5.12.1
5.13.0
5.13.0-beta1
5.13.0-beta2
5.13.1
5.13.2
5.13.3
5.14.0
5.14.0-beta1
5.14.0-beta2
5.14.1
5.14.2
5.14.3
5.15.0
5.15.0-beta1
5.15.1
5.16.0
5.16.0-beta1
5.16.1
5.17.0
5.17.1
5.18.0
5.18.1
5.18.2
5.18.3
5.19.0
5.2.0
5.2.0-beta1
5.20.0
5.3.0
5.4.0
5.4.0-beta1
5.4.0-beta2
5.5.0
5.5.0-beta1
5.5.1
5.6.0
5.6.0-beta1
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.7.0
5.7.0-beta1
5.7.0-beta2
5.7.0-beta3
5.7.1
5.8.0
5.8.0-beta1
5.8.1
5.9.0
5.9.0-beta1
5.9.0-beta2