CVE-2025-71177

UNKNOWN 0.0

LavaLite CMS <= 10.1.0 Stored XSS via Package Creation and Search

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim.

CWE	CWE-79
Vendor	lavalite
Product	lavalite cms
Published	Jan 23, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for lavalite lavalite cms

Be the first to know when new unknown vulnerabilities affecting lavalite lavalite cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

LavaLite / LavaLite CMS

0 ≤ 10.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/LavaLite/cms/issues/420 lavalite.org: https://lavalite.org/ vulncheck.com: https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search

Credits

abigowl Beatriz Fresno Naumova