CVE-2025-66026: 
PHP vulnerability analysis and mitigation

CVE-2025-66026 is a reflected Cross-Site Scripting (XSS) vulnerability discovered in REDAXO CMS, affecting versions prior to 5.20.1. The vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without proper HTML-escaping (GitHub Advisory).

The vulnerability stems from improper input sanitization in the Mediapool component. The control flow begins in redaxo/src/addons/mediapool/pages/index.php which reads args via rex_request('args', 'array') and passes them to media.list.php. The vulnerability occurs when $argUrl['args']['types'] is injected into an HTML string without proper escaping. The CVSS v3.1 score is 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (GitHub Advisory).

When exploited, this vulnerability allows arbitrary JavaScript execution in the backend context, enabling attackers to steal session cookies, CSRF tokens, and other sensitive data. Additionally, it allows attackers to perform any administrative actions on behalf of the affected user when they visit a crafted link while logged in (GitHub Advisory).

The vulnerability has been patched in REDAXO CMS version 5.20.1. The fix involves implementing proper HTML escaping for the args[types] parameter using rex_escape() function (GitHub Commit).