CVE-2025-65837 – PublicCMS V5.202506.b contains a cross-site scr... (How to Fix)

Q: What is the severity of CVE-2025-65837?

CVE-2025-65837 has a CVSS score of 5.4 (MEDIUM). PublicCMS V5.202506.b contains a cross-site scripting (XSS) vulnerability in its Content Search module. This allows attackers to inject malicious scripts that execute in users' browsers when they interact with search functionality. Any organization using this specific version of PublicCMS is affected.

📋 TL;DR

PublicCMS V5.202506.b contains a cross-site scripting (XSS) vulnerability in its Content Search module. This allows attackers to inject malicious scripts that execute in users' browsers when they interact with search functionality. Any organization using this specific version of PublicCMS is affected.

💻 Affected Systems

Products:

PublicCMS

Versions: V5.202506.b

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Content Search module in this specific version.

📦 What is this software?

Publiccms by Publiccms

View all CVEs affecting Publiccms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Attackers inject malicious scripts to steal user session data or credentials from users who interact with search functionality.

🟢

If Mitigated

With proper input validation and output encoding, the impact is limited to potential script execution in specific contexts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities are commonly weaponized and easy to exploit with basic web security knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/sanluan/PublicCMS/issues/100

Restart Required: No

Instructions:

1. Monitor the GitHub issue for official patch. 2. Consider upgrading to a newer version if available. 3. Apply input validation and output encoding to the Content Search module.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement proper input validation and output encoding in the Content Search module to prevent script injection.

Content Security Policy (CSP)

all

Implement a strict Content Security Policy to mitigate XSS impact by restricting script execution sources.

🧯 If You Can't Patch

Disable or restrict access to the Content Search module if not essential
Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Test the Content Search functionality with XSS payloads like <script>alert('XSS')</script> and observe if scripts execute.

Check Version:

Check PublicCMS version in admin panel or configuration files.

Verify Fix Applied:

Retest with XSS payloads after applying fixes to confirm scripts no longer execute.

📡 Detection & Monitoring

Log Indicators:

Unusual search queries containing script tags or JavaScript code
Multiple failed search attempts with suspicious patterns

Network Indicators:

HTTP requests to search endpoints containing script tags or encoded payloads

SIEM Query:

source="web_logs" AND (uri="*search*" OR uri="*query*") AND (message="*<script>*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-65837

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8.7th percentile)

Published: December 22, 2025

Last Updated: January 5, 2026

🔗 References

https://github.com/Hyperkopite/PublicCMS_Vulns/blob/main/XSS_1.md Exploit,Third Party Advisory
https://github.com/sanluan/PublicCMS/issues/100 Exploit,Issue Tracking
https://github.com/Hyperkopite/PublicCMS_Vulns/blob/main/XSS_1.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65837, you might also want to check these: