CVE-2025-61413: 
C# 脆弱性の分析と軽減

A stored cross-site scripting (XSS) vulnerability has been identified in Piranha CMS version 12.0, specifically affecting the /manager/pages component. The vulnerability was discovered and disclosed on October 23, 2025, and has been assigned identifier CVE-2025-61413. The vulnerability allows attackers to execute arbitrary web scripts or HTML by creating a page and injecting crafted payloads into the Markdown blocks (NVD).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue (CWE-79) in the Piranha CMS manager interface, specifically within the page editor's content blocks. According to the analysis, the vulnerability exists in how user input is handled in certain Vue.js components. The CVSS 3.1 base score is 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Miggo).

The vulnerability allows attackers to execute arbitrary web scripts or HTML through the content management system. This could potentially lead to unauthorized access to sensitive information, manipulation of content, and compromise of user sessions. The impact is particularly concerning as it affects the administrative interface of the CMS, potentially giving attackers access to privileged functionality (NVD).

Users are advised to upgrade to a patched version of Piranha CMS. The vulnerability has been addressed by introducing DOMPurify.sanitize to clean the input in all identified vulnerable locations before it is stored in the data model (Miggo).