CVE-2025-57520 – Stored XSS in Decap CMS (<= 3.8.3)
• ResponsibleDisclosure, Cybersecurity, CVE MITRE, OffensiveSecurity,
This vulnerability has been assigned CVE-2025-57520 by MITRE.
Vulnerability Summary
- Vulnerability Type: Stored Cross-Site Scripting (XSS)
- Affected Versions: Decap CMS <= 3.8.3
- Affected Component: Admin Panel → Content Preview Renderer (title, tags, description, body)
- Impact: Session hijacking, credential theft, arbitrary JavaScript execution in privileged user context
- Discoverer: Onurcan Genç – Independent Security Researcher
Scenario Flow
- Contributor (low privilege) injects a malicious payload into a blog entry.
- Editor/Admin (high privilege) later opens the entry in the preview panel.
- The payload executes in the privileged user’s browser context.
The vulnerability was verified under both contributor and editor roles. The most severe impact is observed when an admin user views the malicious entry in preview mode, leading to stored XSS execution in the privileged context.
Proof of Concept (PoC)
Payload Example
"><img src=x onerror=alert(document.cookie)>
Two Step Description
- Contributor creates malicious entry
- Admin opens preview and XSS payload executes
Impact
This stored XSS vulnerability enables arbitrary JavaScript execution whenever privileged users (e.g., admin) open the preview panel.
Possible consequences include:
- Session hijacking
- Credential theft
- Content defacement
- Injection of backdoors into statically generated websites
References
- CVE Record: CVE-2025-57520 (currently RESERVED)
- Decap CMS GitHub Repository
Timeline
- August 6, 2025 – Vulnerability discovered and reported.
- September 9, 2025 – MITRE assigned CVE-2025-57520 (RESERVED).
- September 10, 2025 – Public advisory published on onurcangenc.com.tr.
Author
Onurcan Genç
Independent Security Researcher