CVE-2025-30148 XSS vulnerability in HTML editor

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Medium (?)
Identifier:: CVE-2025-30148
Versions Affected:: silverstripe/framework: <5.3.23
Versions Fixed:: silverstripe/framework: 5.3.23
Release Date:: 2025-04-10

A bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it.

The server-side sanitisation logic has been updated to sanitise against this attack.

Base CVSS: 5.4
Reported by: James Nicoll from Fujitsu Cyber