CVE-2025-66026

Name of the Vulnerable Software and Affected Versions REDAXO versions prior to 5.20.1

Description REDAXO is a PHP-based CMS. A reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter

args[types]

is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. The vulnerability is located in

redaxo/src/addons/mediapool/pages/index.php

and

redaxo/src/addons/mediapool/pages/media.list.php

. The parameter

args[types]

is read via

rex request('args', 'array')

and passed to

media.list.php

, where it is injected into an HTML string without proper escaping using the

rex view::info()

function. An attacker can exploit this by crafting a URL with malicious JavaScript code within the

args[types]

parameter, which will then be executed in the victim's browser when they access the link. This could lead to the theft of session cookies, CSRF tokens, or other sensitive data, and allow an attacker to perform administrative actions on behalf of the affected user.

Recommendations Versions prior to 5.20.1 should be updated to version 5.20.1 or later.