LavaLite CMS, Stored Cross-Site Scripting, CVE-2024-XXXXX (Moderate)

Listen to this Post

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw within LavaLite CMS’s package management module. An authenticated user with privileges to create or edit software packages can inject malicious HTML or JavaScript code into the “Name” or “Description” input fields. This user-supplied input is not adequately sanitized or validated before being permanently stored in the application’s database. The vulnerability is triggered when another user, such as an administrator, accesses the package search functionality. The backend retrieves the malicious package data from the database and directly embeds it into the HTML of the search results page without proper context-aware output encoding. Consequently, the victim’s browser interprets the injected payload as legitimate executable code rather than inert text. This allows the attacker’s script to run within the security context of the victim’s session, leading to a complete compromise of their interaction with the CMS.
Platform: LavaLite CMS
Version: <= 10.1.0
Vulnerability : Stored XSS
Severity: Moderate
date: Jan 23, 2026

Prediction: Feb 15, 2026

What Undercode Say:

Analytics:

`curl -s “https://target.com/lavalite/packages” | grep -i “version”`

`cat payload.html`

``

How Exploit:

1. Attacker authenticates to CMS.

  1. Creates package with malicious script in name field.

3. Victim views package search results.

4. Injected script executes in victim’s browser.

Protection from this CVE:

Apply vendor patch.

Implement strict input validation.

Enforce output encoding.

Impact:

Session hijacking.

Credential theft.

Unauthorized administrative actions.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top