Cross-Site Scripting Vulnerability in Total.js CMS by Total.js
CVE-2025-10940

4.8MEDIUM

Key Information:

Vendor

Total.js

Status
Cms
Vendor
CVE Published:
25 September 2025

What is CVE-2025-10940?

A cross-site scripting vulnerability exists within the Total.js CMS 1.0.0 version, specifically in the 'layouts_save' function located in the /admin/ directory of the Layout Page component. This flaw allows remote attackers to manipulate the 'HTML' argument, potentially leading to unauthorized execution of scripts in users' browsers. The vulnerability has gained public attention, highlighting the need for timely remediation as it poses serious security risks if exploited.

Affected Version(s)

CMS 1.0.0

References

https://vuldb.com/?id.325810
vdb-entrytechnical-description
https://vuldb.com/?ctiid.325810
signaturepermissions-required
https://vuldb.com/?submit.651867
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Edcarlos (VulDB User)
JSON
.
CVE-2025-10940 : Cross-Site Scripting Vulnerability in Total.js CMS by Total.js