Reflected Cross-Site Scripting Vulnerability in REDAXO CMS
CVE-2025-66026

6.1MEDIUM

Key Information:

Vendor: Redaxo
Status: Redaxo
Vendor: CVE Published:; 26 November 2025

What is CVE-2025-66026?

The REDAXO CMS, a popular PHP-based content management system, presents a reflected Cross-Site Scripting (XSS) vulnerability affecting versions prior to 5.20.1. This vulnerability stems from the Mediapool view, where the request parameter 'args[types]' is improperly rendered into an info banner without HTML escaping. As a result, when an authenticated user clicks on a specially crafted link, it may allow the execution of arbitrary JavaScript within the backend context, potentially compromising user sessions and sensitive data. The issue has been addressed and patched in version 5.20.1.

Affected Version(s)

redaxo < 5.20.1

References

https://github.com/redaxo/redaxo/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/redaxo/redaxo/commit/58929062312cf03e3...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 26, 2025
Vulnerability Reserved
Nov 21, 2025

JSON

Redaxo

What is CVE-2025-66026?

Affected Version(s)

References

CVSS V3.1

Timeline