CVE-2025-15093 is a cross-site scripting vulnerability identified in the FlyCMS content management system developed by sunkaifei. The vulnerability exists in the Admin Login component, specifically within an unknown function in the file src/main/java/com/flycms/web/system/IndexAdminController.java. The flaw is triggered by manipulation of the redirectUrl argument, which is not properly sanitized or encoded before being reflected in the web response. This allows an attacker to inject arbitrary JavaScript code that executes in the context of the victim's browser when they interact with a crafted URL. The attack vector is remote and does not require any authentication, although user interaction is necessary to trigger the malicious payload. The vulnerability has a CVSS 4.0 base score of 5.3, indicating medium severity, with the vector string showing network attack vector, low attack complexity, no privileges required, user interaction required, and limited impact on integrity. Due to FlyCMS’s continuous delivery model with rolling releases, precise affected versions are not clearly defined beyond a specific commit hash. The vendor was contacted but did not respond, and no patches or updates have been published. The exploit code has been publicly released, increasing the likelihood of exploitation attempts. This vulnerability primarily threatens the confidentiality and integrity of user sessions and data by enabling script injection, which can lead to session hijacking, credential theft, or other malicious actions performed in the context of the authenticated user.

The primary impact of CVE-2025-15093 is the compromise of confidentiality and integrity for users of FlyCMS administrative interfaces. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, theft of authentication tokens, or unauthorized actions performed on behalf of the user. This can result in unauthorized access to sensitive administrative functions or data within the CMS. Although availability is not directly affected, the indirect consequences of compromised administrative accounts could lead to further system manipulation or data loss. Organizations relying on FlyCMS for website or content management may face reputational damage, data breaches, or unauthorized content modifications. The lack of vendor response and absence of patches increases the risk exposure, especially since the exploit code is publicly available. The medium CVSS score reflects that while the attack requires user interaction, it can be performed remotely without authentication, broadening the potential attack surface. Given FlyCMS’s niche market, the impact is more pronounced for organizations using this specific CMS, particularly those with public-facing administrative portals.

1. Implement strict input validation and output encoding on the redirectUrl parameter to neutralize malicious scripts. 2. Employ a web application firewall (WAF) with rules to detect and block XSS attack patterns targeting the redirectUrl parameter. 3. Restrict administrative interface access by IP whitelisting or VPN to reduce exposure to untrusted networks. 4. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Educate administrators and users to avoid clicking suspicious or unsolicited links that may contain malicious payloads. 6. Monitor web server and application logs for unusual requests containing suspicious redirectUrl parameters. 7. If possible, temporarily disable or restrict the vulnerable functionality until an official patch or update is released. 8. Consider deploying runtime application self-protection (RASP) solutions to detect and block exploitation attempts in real time. 9. Engage with the FlyCMS community or maintainers to encourage timely patch development and disclosure. 10. Regularly review and update all third-party components and dependencies to minimize exposure to known vulnerabilities.