CVE-2025-67291
published 2025-12-22CVE-2025-67291: A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via…
PriorityP424medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.18%
8.2th percentile
A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dotnetfoundation | piranha_cms | — | — |
| piranhacms | piranha | 0 – 12.0.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Piranha has stored cross-site scripting (XSS) vulnerability
osv·2025-12-22
CVE-2025-67291 [LOW] Piranha has stored cross-site scripting (XSS) vulnerability
Piranha has stored cross-site scripting (XSS) vulnerability
A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field.
GHSA
Piranha has stored cross-site scripting (XSS) vulnerability
ghsa·2025-12-22
CVE-2025-67291 [LOW] CWE-79 Piranha has stored cross-site scripting (XSS) vulnerability
Piranha has stored cross-site scripting (XSS) vulnerability
A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field.
No detection rules found.
No public exploits indexed.
2025-12-22
Published