CVE-2025-15094 – This CVE describes a reflected cross-site scrip... (How to Fix)

Q: What is the severity of CVE-2025-15094?

CVE-2025-15094 has a CVSS score of 4.3 (MEDIUM). This CVE describes a reflected cross-site scripting (XSS) vulnerability in sunkaifei FlyCMS's user login function. Attackers can inject malicious scripts via the redirectUrl parameter, potentially stealing user credentials or session cookies. Any FlyCMS deployment using the vulnerable code is affected.

📋 TL;DR

This CVE describes a reflected cross-site scripting (XSS) vulnerability in sunkaifei FlyCMS's user login function. Attackers can inject malicious scripts via the redirectUrl parameter, potentially stealing user credentials or session cookies. Any FlyCMS deployment using the vulnerable code is affected.

💻 Affected Systems

Products:

sunkaifei FlyCMS

Versions: Up to commit abbaa5a8daefb146ad4d61027035026b052cb414

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: No versioning system used, so all deployments using code up to the specified commit are vulnerable.

📦 What is this software?

Flycms by Sunkaifei

View all CVEs affecting Flycms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator credentials, gain full control of the CMS, deface websites, or install backdoors.

🟠

Likely Case

Attackers steal user session cookies to hijack accounts, perform actions as authenticated users, or redirect to phishing sites.

🟢

If Mitigated

With proper input validation and output encoding, the attack fails silently with no impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available in GitHub issue #16, requiring only crafted URLs with malicious redirectUrl parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None

Restart Required: No

Instructions:

No official patch exists. The project has not responded to the issue report. Consider applying community fixes or workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to sanitize redirectUrl parameter by allowing only safe URLs.

Modify src/main/java/com/flycms/web/front/UserController.java to validate redirectUrl against a whitelist of allowed domains or paths.

Output Encoding

all

Apply proper HTML encoding to the redirectUrl parameter before rendering in responses.

Update the affected function to encode redirectUrl using libraries like OWASP Java Encoder before output.

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules to block malicious redirectUrl payloads.
Disable or restrict the redirectUrl functionality if not essential for user login flows.

🔍 How to Verify

Check if Vulnerable:

Test by accessing the login endpoint with a redirectUrl parameter containing a simple XSS payload like <script>alert(1)</script> and check if it executes.

Check Version:

Check the Git commit hash of the FlyCMS installation; if it is abbaa5a8daefb146ad4d61027035026b052cb414 or earlier, it is vulnerable.

Verify Fix Applied:

After applying fixes, retest with the same XSS payload to ensure it is properly sanitized or encoded and does not execute.

📡 Detection & Monitoring

Log Indicators:

Log entries showing redirectUrl parameters with script tags or JavaScript code in user login requests.

Network Indicators:

HTTP requests to login endpoints containing suspicious redirectUrl values with encoded payloads.

SIEM Query:

source="web_logs" AND uri_path="/user/login" AND query_string="*redirectUrl=*<script>*"

📊 Metadata

CVE ID: CVE-2025-15094

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (10th percentile)

Published: December 26, 2025

Last Updated: February 24, 2026

🔗 References

https://github.com/sunkaifei/FlyCms/
https://github.com/sunkaifei/FlyCms/issues/16 Exploit,Issue Tracking,Vendor Advisory
https://vuldb.com/?ctiid.338423 Permissions Required,VDB Entry
https://vuldb.com/?id.338423 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.708997 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15094, you might also want to check these: