Cameleon CMS 2.7.4 Authenticated Persistent Cross-Site Scripting via Post Creation

Advisories

severity: medium
date: December 18, 2025
Affecting: Cameleon CMS 2.7.4
CVE: CVE-2023-53936
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: ExploitDB-51446
Product GitHub Repository
Credit: Yasin Gergin
Description: Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript.