CVE-2025-66492
CVE-2025-66492 is a high-severity vulnerability in Masacms with a CVSS 3.x base score of 8.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-79.
Key facts
- Severity: High (CVSS 3.x base score 8.2)
- EPSS exploit prediction: 0% (11th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-203028
- Weakness: CWE-79
- Affected product: Masacms
- Published:
- Last modified:
Description
Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the <head> section of the HTML page. An attacker can execute arbitrary scripts in the context of the user's session, potentially leading to Session Hijacking, Data Theft, Defacement and Malware Distribution. This issue is fixed in versions 7.5.2, 7.4.9, 7.3.14, and 7.2.9. To work around this issue, configure a Web Application Firewall (WAF) rule (e.g., ModSecurity) to block requests containing common XSS payload characters in the ajax query parameter. Alternatively, implement server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic.
Frequently asked questions
- What is CVE-2025-66492?
- Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the <head> section of the HTML page. An attacker can execute arbitrary scripts in the context of the user's session, potentially leading to Session Hijacking, Data Theft, Defacement and Malware Distribution. This issue is fixed in versions 7.5.2, 7.4.9, 7.3.14, and 7.2.9. To work around this issue, configure a Web Application Firewall (WAF) rule (e.g., ModSecurity) to block requests containing common XSS payload characters in the ajax query parameter. Alternatively, implement server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic.
- How severe is CVE-2025-66492?
- CVE-2025-66492 has a CVSS 3.x base score of 8.2, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity low, and availability none.
- Is CVE-2025-66492 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (11th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-66492?
- CVE-2025-66492 affects Masacms. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-66492?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-66492 have an EU (EUVD) identifier?
- Yes. CVE-2025-66492 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-203028.
- When was CVE-2025-66492 published?
- CVE-2025-66492 was published on 2025-12-12 and last updated on 2026-06-17.
References
- https://github.com/MasaCMS/MasaCMS/commit/376c27196b1e2489888b7a000cdf5c45bb85959e
- https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-249c-vqwv-43vc
Affected products (1)
- cpe:2.3:a:masacms:masacms:*:*:*:*:*:*:*:*
More vulnerabilities in Masacms
- CVE-2024-32641 — Critical (CVSS 9.8): Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6…
- CVE-2022-47002 — Critical (CVSS 9.8): A vulnerability in the Remember Me function of Masa CMS v7.2, 7.3, and 7.4-beta allows attackers to bypass…
- CVE-2024-32642 — High (CVSS 8.8): Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is…
- CVE-2024-32643 — High (CVSS 7.5): Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the…
- CVE-2021-42183 — High (CVSS 7.5): MasaCMS 7.2.1 is affected by a path traversal vulnerability in /index.cfm/_api/asset/image/.
Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities
- CVE-2025-49410 — Critical (CVSS 10.0): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu TC…
- CVE-2024-47875 — Critical (CVSS 10.0): DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to…
- CVE-2024-6886 — Critical (CVSS 10.0): Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea…
- CVE-2023-45144 — Critical (CVSS 10.0): com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on…
- CVE-2023-45138 — Critical (CVSS 10.0): Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly.…
- CVE-2022-4361 — Critical (CVSS 10.0): Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the…
Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →