PatchSiren

LavaLite CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM LavaLite CVE published 2026-01-23

CVE-2025-71177

CVE-2025-71177 is a stored cross-site scripting (XSS) vulnerability affecting LavaLite CMS versions up to and including 10.1.0. The vulnerability exists in the package creation and search functionality, allowing authenticated users to inject malicious HTML or JavaScript in package Name or Description fields. This injected script is stored and later rendered without proper output encoding in package search [truncated]