CVE-2025-60837: 
Java vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in MCMS v6.0.1. The vulnerability was assigned CVE-2025-60837 and was disclosed on October 23, 2025. The vulnerability affects the MCMS content management system and allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload (MITRE).

The vulnerability exists in the search functionality of MCMS, specifically in the /mcms/search.do endpoint. It is a reflected XSS vulnerability that does not require authentication or login to exploit. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (MITRE, CISA-ADP).

If exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of a user's browser. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session (MITRE).

Users should upgrade to a version newer than MCMS v6.0.1 when available. Until then, implementing proper input validation and output encoding for user-supplied data can help mitigate this vulnerability (MCMS Repo).