Stored Cross-Site Scripting Vulnerability in Mezzanine CMS by Mezzanine
CVE-2025-6050

4.8MEDIUM

Key Information:

Vendor: Jupo
Status: Mezzanine
Vendor: CVE Published:; 17 June 2025

What is CVE-2025-6050?

Mezzanine CMS, before version 6.1.1, is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability in its admin interface. This issue arises from the 'displayable_links_js' function, which inadequately sanitizes blog post titles prior to including them in JSON responses. An authenticated admin user could introduce a malicious JavaScript payload in the title field of a blog post. By enticing another admin user to click a crafted link to the '/admin/displayable_links.js' endpoint, the malicious script would execute in the victim's browser, potentially leading to unauthorized actions or data exposure.

Affected Version(s)

mezzanine 0.1 < 6.1.1

References

https://github.com/stephenmcd/mezzanine/discussions/2080

https://https://github.com/stephenmcd/mezzanine/commit/89...

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2025
Vulnerability Reserved
Jun 13, 2025

Jupo

What is CVE-2025-6050?

Affected Version(s)

References

CVSS V4

Timeline