Cross-Site Scripting Vulnerability in CicadasCMS by Westboy
CVE-2025-11289

4.8MEDIUM

Key Information:

Vendor

Westboy

Status
Cicadascms
Vendor
CVE Published:
5 October 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-11289?

A cross-site scripting vulnerability exists in CicadasCMS, specifically in the Template Management Page's Save function found in TemplateFileServiceImpl.java. This weakness allows attackers to execute malicious scripts remotely, potentially compromising user sessions and data integrity. Given that this exploit has already been disclosed publicly, it is crucial to implement security measures to prevent possible attacks.

Affected Version(s)

CicadasCMS 2431154dac8d0735e04f1fd2a3c3556668fc8dab

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-11289 - Proof of Concept

References

https://vuldb.com/?id.327170
vdb-entrytechnical-description
https://vuldb.com/?ctiid.327170
signaturepermissions-required
https://vuldb.com/?submit.659789
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

xmttz (VulDB User)
JSON
.
CVE-2025-11289 : Cross-Site Scripting Vulnerability in CicadasCMS by Westboy