HIGH🇵🇱 Wersja polska

CVE-2025-15540

CVSS 8.6v4.0pub. 2026-03-16upd. 2026-03-17

"Functions" module in Raytha CMS allows privileged users to write custom code to add functionality to application. Due to a lack of sandboxing or access restrictions, JavaScript code executed through Raytha’s “functions” feature can instantiate .NET components and perform arbitrary operations within the application’s hosting environment. This issue was fixed in version 1.4.6.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Raytha

    APP
    Raytha
    < 1.4.6
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-69240HIGH7.5ten sam produkt

Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The...

CVE-2025-69237MEDIUM5.1ten sam produkt

Raytha CMS is vulnerable to Stored XSS via FieldValues[0].Value parameter in page creation functionality. Auth...

CVE-2025-69238MEDIUM6.9ten sam produkt

Raytha CMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. Attacker can craft special w...

CVE-2025-69239MEDIUM5.1ten sam produkt

Raytha CMS is vulnerable to Server-Side Request Forgery in the “Themes - Import from URL” feature. It allows a...

CVE-2025-69241MEDIUM5.3ten sam produkt

Raytha CMS is vulnerable to Stored XSS via FirstName and LastName parameters in profile editing functionality....