Description
Raytha CMS is vulnerable to Stored XSS via FieldValues[1].Value parameter in post editing functionality. Authenticated attacker with permissions to edit posts can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page.

This issue was fixed in version 1.4.6.
Published: 2026-03-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Raytha CMS allows an attacker with the ability to edit posts to store malicious code in the FieldValues[1].Value parameter. When a post is saved, the injected HTML and JavaScript is stored and rendered on the public page, executing any code present in the visitor’s browser. This stored cross‑site scripting flaw can be used to compromise the integrity of the website, deface content, or conduct phishing attacks against site visitors. The weakness is identified as CWE‑79 stored cross‑site scripting.

Affected Systems

Raytha CMS is affected in all releases prior to version 1.4.6. The fix was incorporated in release 1.4.6. All instances of Raytha deployed before that version should be considered vulnerable.

Risk and Exploitability

The CVSS base score is 5.1, indicating a medium severity. The EPSS score is less than 1 %, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the post‑editing interface; an attacker must have sufficient permissions to edit content. Because the payload is stored server‑side and executed in user browsers, the attack path relies on authenticated control of post content and the visitor’s interaction with the compromised page.

Generated by OpenCVE AI on March 17, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch to Raytha CMS version 1.4.6 or later.

Generated by OpenCVE AI on March 17, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Raytha
Raytha raytha
CPEs cpe:2.3:a:raytha:raytha:*:*:*:*:*:*:*:*
Vendors & Products Raytha
Raytha raytha
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Raytha CMS is vulnerable to Stored XSS via FieldValues[1].Value parameter in post editing functionality. Authenticated attacker with permissions to edit posts can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. This issue was fixed in version 1.4.6.
Title Stored XSS in Raytha CMS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Raytha Raytha
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-03-16T13:49:57.302Z

Reserved: 2025-12-30T08:44:21.410Z

Link: CVE-2025-69236

cve-icon Vulnrichment

Updated: 2026-03-16T13:44:08.924Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:18:00.450

Modified: 2026-03-16T19:32:09.697

Link: CVE-2025-69236

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:41Z

Weaknesses