Stored Cross-Site Scripting Vulnerabilities in Episerver CMS by Optimizely
CVE-2025-27801

4.6MEDIUM

Key Information:

Vendor: Optimizely
Status: Episerver Content Management System (cms)
Vendor: CVE Published:; 28 July 2025

What is CVE-2025-27801?

The Episerver Content Management System by Optimizely suffers from multiple Stored Cross-Site Scripting vulnerabilities. Authenticated attackers with the WebEditor role can exploit these vulnerabilities to upload SVG files containing malicious JavaScript code. When a user accesses the direct URL of the uploaded content, the malicious script is executed in their browser, potentially compromising sensitive information and user experience.

Affected Version(s)

Episerver Content Management System (CMS) 11.x < 11.21.4

Episerver Content Management System (CMS) 12.x < 12.22.1

References

https://support.optimizely.com/hc/en-us/articles/30886353...

patch

https://support.optimizely.com/hc/en-us/articles/37757063...

patch

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 28, 2025
Vulnerability Reserved
Mar 7, 2025

Credit

Kai Zimmermann, SEC Consult Vulnerability Lab

Felix Beie, SEC Consult Vulnerability Lab