216.73.216.86

CVE-2025-66686

· Published 07/01/2026 17:16 · Modified 08/01/2026 18:08

Labels: CVE-2025-66686 2026-01-07CVE-2025-66686CWE-79[email protected]

Essential information

Published
07/01/2026 17:16
Modified
08/01/2026 18:08
Author
Creator
CVSS
6.1 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS metrics

Description

A stored Cross-Site Scripting (XSS) vulnerability exists in Perch CMS version 3.2. An authenticated attacker with administrative privileges can inject malicious JavaScript code into the “Help button url” setting within the admin panel. The injected payload is stored and executed when any authenticated user clicks the Help button, potentially leading to session hijacking, information disclosure, privilege escalation, and unauthorized administrative actions.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
perchcms / perch cms cpe:2.3:a:perchcms:perch_cms:3.2:*:*:*:*:*:*:*

References