PYSEC-2025-236

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/mezzanine/PYSEC-2025-236.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2025-236

Aliases

Published

2025-06-17T11:15:22.400Z

Modified

2026-06-23T22:56:15.670981353Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Mezzanine CMS, in versions prior to 6.1.1, contains a Stored Cross-Site Scripting (XSS) vulnerability in the admin interface. The vulnerability exists in the "displayablelinksjs" function, which fails to properly sanitize blog post titles before including them in JSON responses served via "/admin/displayablelinks.js". An authenticated admin user can create a blog post with a malicious JavaScript payload in the title field, then trick another admin user into clicking a direct link to the "/admin/displayablelinks.js" endpoint, causing the malicious script to execute in their browser.

References

Affected packages

PyPI / mezzanine

Package

Name: mezzanine; View open source insights on deps.dev
Purl: pkg:pypi/mezzanine

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.1

Affected versions

0.*

0.1

0.1.1

0.1.2

0.1.3

0.1.4

0.2

0.2.1

0.2.2

0.2.3

0.2.4

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.4

0.5.1

0.5.2

0.5.3

0.5.4

0.6

0.6.1

0.6.2

0.6.3

0.6.4

0.7

0.7.2

0.8

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.9

0.9.1

0.10

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.11

0.11.1

0.11.2

0.11.3

0.11.4

0.11.5

0.11.6

0.11.7

0.11.8

0.11.9

0.11.10

0.12

0.12.1

0.12.2

0.12.3

0.12.4

0.12.5

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.3.0

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.4.10

1.4.11

1.4.12

1.4.13

1.4.14

1.4.15

1.4.16

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

4.*

4.0.0

4.0.1

4.1.0

4.2.0

4.2.1

4.2.2

4.2.3

4.3.0

4.3.1

5.*

5.0.0a1

5.0.0rc1

5.0.0

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

6.*

6.0.0

6.0.1

6.1.0

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/mezzanine/PYSEC-2025-236.yaml"