Stored XSS Vulnerability in Optimizely Episerver Content Management System
CVE-2025-27802

4.6MEDIUM

Key Information:

Vendor: Optimizely
Status: Episerver Content Management System (cms)
Vendor: CVE Published:; 28 July 2025

What is CVE-2025-27802?

The Optimizely Episerver Content Management System (CMS) is susceptible to multiple stored cross-site scripting (XSS) vulnerabilities. These weaknesses can be exploited by authenticated users, specifically those with 'WebEditor' roles, to inject arbitrary JavaScript code into text fields within the CMS. Once embedded, this malicious code executes in the browsers of users accessing the previewed pages, potentially leading to unauthorized access and data compromise.

Affected Version(s)

Episerver Content Management System (CMS) 11.x < 11.21.4

Episerver Content Management System (CMS) 12.x < 12.22.1

References

https://support.optimizely.com/hc/en-us/articles/30886353...

patch

https://support.optimizely.com/hc/en-us/articles/37757063...

patch

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 28, 2025
Vulnerability Reserved
Mar 7, 2025

Credit

Kai Zimmermann, SEC Consult Vulnerability Lab

Felix Beie, SEC Consult Vulnerability Lab