LavaLite CMS: When 'Package Management' Delivers a payload.js
Vulnerability ID: CVE-2025-71177
CVSS Score: 5.1
Published: 2026-01-23
LavaLite CMS, a platform built on the usually robust Laravel framework, creates a perfect storm of irony by allowing Stored XSS in its package management system. Despite Laravel's default protection against XSS, this vulnerability proves that a determined developer can always find a way to introduce insecurity. By injecting malicious JavaScript into package names or descriptions, attackers can lay a persistent trap for administrators, turning a simple database search into a full session compromise.
TL;DR
Authenticated users can inject malicious HTML/JS into the 'Name' or 'Description' fields of a new package. This payload is stored in the database. When an administrator (or any user) searches for packages, the application renders the search results without escaping the output, executing the attacker's script. This is a classic Stored XSS resulting in potential account takeover.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS v4.0: 5.1 (Medium)
- Exploit Status: PoC Available
- KEV Status: Not Listed
- Privileges: Low (Authenticated)
Affected Systems
- LavaLite CMS <= 10.1.0
-
LavaLite CMS: <= 10.1.0 (Fixed in:
> 10.1.0)
Exploit Details
- GitHub Issue: Original bug report detailing the injection via package name field.
Mitigation Strategies
- Input Sanitization
- Output Encoding
- Content Security Policy (CSP)
Remediation Steps:
- Upgrade LavaLite CMS to a version > 10.1.0 immediately.
- Audit custom Blade templates for usage of raw output tags
{!! !!}. - Implement a strict Content Security Policy (CSP) to block inline script execution.
- Review the database for existing malicious entries in
packagestable.
References
Read the full report for CVE-2025-71177 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)