Description
Raytha CMS is vulnerable to Stored XSS via FieldValues[0].Value parameter in page creation functionality. Authenticated attacker with permissions to create content can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page.

This issue was fixed in version 1.4.6.
Published: 2026-03-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS allowing arbitrary script execution in website context
Action: Apply Patch
AI Analysis

Impact

Raytha CMS is vulnerable to Stored Cross‑Site Scripting via the FieldValues[0].Value parameter used when creating pages. An authenticated attacker who has permission to create content can insert arbitrary HTML and JavaScript into this field. When a visitor later loads the edited page, the injected script runs in the visitor’s browser, potentially allowing an attacker to steal cookies, hijack sessions, deface the site, or execute further malicious actions. This is a classic Stored XSS (CWE-79) that compromises confidentiality and integrity of website users.

Affected Systems

All unpatched installations of Raytha CMS, specifically any version preceding 1.4.6, are affected. The vulnerability impacts the page creation functionality for users with sufficient permissions. Raytha’s officially documented fix is included in version 1.4.6, and it is recommended to upgrade or apply the relevant patch for all installations.

Risk and Exploitability

The CVSS score of 5.1 indicates medium severity, and the low EPSS (<1%) indicates a low likelihood that the vulnerability will be actively exploited. The vulnerability is not listed in the CISA KEV catalog, reinforcing its lower exploitation risk. Nonetheless, because the exploit requires authenticated access, internal actors with content‑creation privileges can leverage it. Institutions using Raytha should prioritize upgrading to 1.4.6 or later to eliminate the risk.

Generated by OpenCVE AI on March 17, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Raytha CMS to version 1.4.6 or later

Generated by OpenCVE AI on March 17, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Raytha
Raytha raytha
CPEs cpe:2.3:a:raytha:raytha:*:*:*:*:*:*:*:*
Vendors & Products Raytha
Raytha raytha
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Raytha CMS is vulnerable to Stored XSS via FieldValues[0].Value parameter in page creation functionality. Authenticated attacker with permissions to create content can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. This issue was fixed in version 1.4.6.
Title Stored XSS in Raytha CMS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Raytha Raytha
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-03-16T13:49:57.155Z

Reserved: 2025-12-30T08:44:21.410Z

Link: CVE-2025-69237

cve-icon Vulnrichment

Updated: 2026-03-16T13:44:06.617Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:18:00.647

Modified: 2026-03-16T19:31:55.417

Link: CVE-2025-69237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:40Z

Weaknesses