CVE-2025-51487: 
PHP vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.5, allowing attackers to execute arbitrary JavaScript by using "javascript:" payload, instead of the expected HTTPS protocol, in the CutCode Link parameter when creating/updating a new Article (MITRE, MoonShine Repo). The vulnerability was discovered and disclosed on August 19, 2025, affecting the MoonShine admin panel software for Laravel framework.

The vulnerability is classified as a Stored XSS with a CVSS v3.1 Base Score of 4.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N. The attack requires high privileges and user interaction, with the attack vector being network-accessible. The vulnerability allows attackers to store and execute arbitrary JavaScript in users' browsers by manipulating the CutCode Link parameter during article creation or updates (MITRE).

When successfully exploited, the vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who view the affected article. This can lead to potential theft of sensitive information, session hijacking, or other client-side attacks. The impact is primarily focused on confidentiality, with high impact on this vector, while integrity and availability remain unaffected (MITRE).

The vulnerability has been patched in MoonShine version 3.12.5. Users are advised to upgrade to this version or later to mitigate the risk. No alternative workarounds have been publicly documented (MoonShine Repo).