CVE-2025-71177 – LavaLite CMS versions up to 10.1.0 contain a st... (How to Fix)

Q: What is the severity of CVE-2025-71177?

CVE-2025-71177 has a CVSS score of 5.4 (MEDIUM). LavaLite CMS versions up to 10.1.0 contain a stored cross-site scripting vulnerability where authenticated users can inject malicious scripts into package Name or Description fields. These scripts execute when other users view search results containing the malicious package, potentially leading to session hijacking or credential theft. All LavaLite CMS installations up to version 10.1.0 with authenticated users are affected.

📋 TL;DR

LavaLite CMS versions up to 10.1.0 contain a stored cross-site scripting vulnerability where authenticated users can inject malicious scripts into package Name or Description fields. These scripts execute when other users view search results containing the malicious package, potentially leading to session hijacking or credential theft. All LavaLite CMS installations up to version 10.1.0 with authenticated users are affected.

💻 Affected Systems

Products:

LavaLite CMS

Versions: All versions up to and including 10.1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to package creation functionality. All installations with user accounts are vulnerable.

📦 What is this software?

Lavalite by Lavalite

View all CVEs affecting Lavalite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access, steal all user credentials, deface websites, and install backdoors for persistent access.

🟠

Likely Case

Authenticated attackers steal session cookies from other users, perform unauthorized actions in victims' contexts, and potentially escalate privileges.

🟢

If Mitigated

Scripts execute but are sandboxed or blocked by CSP, limiting damage to isolated browser sessions without persistent compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated. Public proof-of-concept exists in GitHub issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.1 or later

Vendor Advisory: https://github.com/LavaLite/cms/issues/420

Restart Required: No

Instructions:

1. Backup your LavaLite installation and database. 2. Download latest version from official repository. 3. Replace affected files with patched versions. 4. Clear application cache. 5. Test package creation and search functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side input validation to sanitize HTML/JavaScript in package Name and Description fields

Implement HTML entity encoding for user inputs in package creation endpoints

Content Security Policy

all

Implement strict CSP headers to block inline script execution

Add header: Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

Disable package creation functionality for non-administrative users
Implement web application firewall rules to block XSS payloads in package fields

🔍 How to Verify

Check if Vulnerable:

Create a test package with <script>alert('XSS')</script> in Name field, then search for it. If alert executes, system is vulnerable.

Check Version:

Check composer.json or version file in LavaLite installation directory

Verify Fix Applied:

Attempt same test after patching. Script should be displayed as text, not executed.

📡 Detection & Monitoring

Log Indicators:

Unusual package creation patterns
HTML/JavaScript in package name/description fields
Multiple failed login attempts followed by package creation

Network Indicators:

POST requests to package creation endpoints with script tags
Unusual search queries returning packages with encoded characters

SIEM Query:

source="web_logs" AND (uri="/packages/create" OR uri="/packages/search") AND (body CONTAINS "<script>" OR body CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-71177

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.01% exploit probability (0.8th percentile)

Published: January 23, 2026

Last Updated: January 29, 2026

🔗 References

https://github.com/LavaLite/cms/issues/420 Exploit,Issue Tracking
https://lavalite.org/ Product
https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-71177, you might also want to check these: