GHSA-xp8g-32qh-mv28
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xp8g-32qh-mv28
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-xp8g-32qh-mv28/GHSA-xp8g-32qh-mv28.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-xp8g-32qh-mv28
- Aliases
- Published
- 2025-09-10T18:30:16Z
- Modified
- 2025-09-23T20:24:42Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Decap CMS Cross Site Scripting (XSS) vulnerability
- Details
-
Decap CMS through 3.8.3 is vulnerable to stored Cross-Site Scripting (XSS) in the admin preview pane. User-controlled fields (e.g., title, description, tags, and body) are rendered in the preview without sufficient sanitization/escaping. An attacker with low-privilege author/contributor access can persist a JavaScript payload in content; when a maintainer or reviewer opens the preview, the payload executes in the CMS admin origin, enabling token/session theft or the execution of privileged actions via the DOM. The issue affects multiple input vectors and requires only passive interaction from the previewing user. As no patched version is available, administrators should restrict untrusted contributor roles and filter or disable preview rendering of untrusted HTML.
- Database specific
{ "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2025-09-10T20:48:53Z", "nvd_published_at": "2025-09-10T17:15:33Z", "github_reviewed": true, "severity": "MODERATE" }- References
Affected packages
npm / decap-cms
Package
- Name
- decap-cms
- View open source insights on deps.dev
- Purl
- pkg:npm/decap-cms