CVE-2025-6050

Name of the Vulnerable Software and Affected Versions Mezzanine CMS versions prior to 6.1.1

Description The issue is a Stored Cross-Site Scripting (XSS) vulnerability in the admin interface. It exists in the displayable links js function, which fails to properly sanitize blog post titles before including them in JSON responses served via "/admin/displayable links.js". An authenticated admin user can create a blog post with a malicious JavaScript payload in the title field, then trick another admin user into clicking a direct link to the "/admin/displayable links.js" endpoint, causing the malicious script to execute in their browser.

Recommendations For versions prior to 6.1.1, update to version 6.1.1 or later to resolve the issue. As a temporary workaround, consider disabling the displayable links js function until a patch is available. Restrict access to the "/admin/displayable links.js" endpoint to minimize the risk of exploitation. Avoid using malicious JavaScript payloads in the title field of blog posts until the issue is resolved.