Login Sign Up

CVE-2025-56154

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

htmly v3.0.8 contains a reflected cross-site scripting (XSS) vulnerability in the /author/:name endpoint where the name parameter is not properly sanitized. Attackers can inject malicious JavaScript payloads that execute in victims' browsers when they visit crafted URLs. This affects any htmly v3.0.8 installation with the vulnerable endpoint accessible.

💻 Affected Systems

Products:
  • htmly
Versions: v3.0.8
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with the /author/:name endpoint enabled (typically default).

📦 What is this software?

Htmly by Htmly

View all CVEs affecting Htmly →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deploy malware through drive-by downloads.

🟠

Likely Case

Session hijacking, credential theft, or defacement of pages viewed by users who click malicious links.

🟢

If Mitigated

Limited impact if proper input validation, output encoding, and Content Security Policy (CSP) are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (clicking a malicious link). Proof-of-concept available in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.0.9

Vendor Advisory: https://github.com/danpros/htmly/releases/tag/v3.0.9

Restart Required: Yes

Instructions:

1. Backup current installation. 2. Download htmly v3.0.9 from GitHub releases. 3. Replace existing files with patched version. 4. Restart web server/service.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to reject malicious characters in the name parameter.

Modify application code to sanitize input before processing.

Web Application Firewall (WAF) Rule

all

Block requests containing JavaScript patterns in the /author endpoint parameters.

Add WAF rule to detect and block XSS payloads in URL parameters.

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to block inline script execution.
  • Disable or restrict access to the /author/:name endpoint if not required.

🔍 How to Verify

Check if Vulnerable:

Test by accessing /author/<script>alert('XSS')</script> endpoint and check if script executes.

Check Version:

Check htmly version in admin panel or via package manager (e.g., `npm list htmly` if applicable).

Verify Fix Applied:

After patching, test same payload; script should not execute and input should be properly encoded.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /author/ endpoint with script tags or JavaScript payloads in URL parameters.
  • Unusual spikes in requests to author pages.

Network Indicators:

  • Outbound connections to suspicious domains following visits to /author/ pages.

SIEM Query:

source="web_logs" AND url="/author/*" AND (url CONTAINS "<script>" OR url CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-56154
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.05% exploit probability (16.2th percentile)
Published: October 2, 2025
Last Updated: January 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56154, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)