Description
Raytha CMS is vulnerable to Stored XSS via FirstName and LastName parameters in profile editing functionality. Authenticated attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page.

This issue was fixed in version 1.4.6.
Published: 2026-03-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting (arbitrary JavaScript execution)
Action: Patch
AI Analysis

Impact

The vulnerability allows an authenticated attacker to store malicious HTML or JavaScript in the FirstName and LastName fields during profile editing. When a page containing the edited profile is viewed, the injected script is executed in the visitor’s browser, potentially leading to session hijacking, cookie theft, defacement or other client‑side abuse. The weakness is identified as a stored XSS flaw (CWE‑79).

Affected Systems

Raytha CMS from the vendor Raytha is affected. All releases before version 1.4.6 contain the flaw; the issue is fixed in 1.4.6 and later. No other product variants or vendors are listed.

Risk and Exploitability

The CVSS v3.1 score of 5.3 indicates moderate severity. The EPSS score is less than 1%, suggesting a low probability of exploitation in the wild. The vulnerability is not included in the CISA KEV catalog and no public exploits are documented. Attack requires authenticated access to the profile editing function, so the risk depends on the account privilege model of the installation. Overall, risk is moderate but exploitability is low under current conditions.

Generated by OpenCVE AI on March 17, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Raytha CMS to version 1.4.6 or later

Generated by OpenCVE AI on March 17, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Raytha
Raytha raytha
CPEs cpe:2.3:a:raytha:raytha:*:*:*:*:*:*:*:*
Vendors & Products Raytha
Raytha raytha
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Raytha CMS is vulnerable to Stored XSS via FirstName and LastName parameters in profile editing functionality. Authenticated attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. This issue was fixed in version 1.4.6.
Title Stored XSS in Raytha CMS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Raytha Raytha
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-03-16T13:49:56.532Z

Reserved: 2025-12-30T08:44:21.410Z

Link: CVE-2025-69241

cve-icon Vulnrichment

Updated: 2026-03-16T13:43:56.921Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:18:01.390

Modified: 2026-03-16T19:28:08.840

Link: CVE-2025-69241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:37Z

Weaknesses