CVE-2025-15093 is a cross-site scripting vulnerability identified in the FlyCMS product developed by sunkaifei. The issue resides in the Admin Login component, specifically within an unknown function in the file src/main/java/com/flycms/web/system/IndexAdminController.java. The vulnerability arises from improper handling of the redirectUrl argument, which can be manipulated by an attacker to inject malicious JavaScript code. This flaw allows remote attackers to execute scripts in the context of the victim's browser without requiring authentication, although user interaction is necessary to trigger the payload. The vulnerability has a CVSS 4.0 base score of 5.3, indicating medium severity, with characteristics including network attack vector, low attack complexity, no privileges required, and user interaction needed. The vendor uses continuous delivery with rolling releases, making it difficult to identify exact affected versions or available patches. Additionally, the vendor has not responded to disclosure attempts, and no official patch links are available. Public exploit code has been released, increasing the likelihood of exploitation. The vulnerability could be leveraged to perform session hijacking, steal credentials, or conduct unauthorized actions within the administrative interface of FlyCMS, potentially compromising the confidentiality and integrity of affected systems.

For European organizations using FlyCMS, this vulnerability poses a risk of unauthorized access to administrative functions through session hijacking or credential theft facilitated by XSS attacks. Attackers could manipulate the redirectUrl parameter to inject malicious scripts that execute in the browsers of administrators or privileged users, potentially leading to data breaches or unauthorized system modifications. Given the administrative context, the impact on confidentiality and integrity is significant, although availability impact is limited. The public availability of exploit code increases the risk of opportunistic attacks, especially against organizations that have not implemented adequate input validation or output encoding. The lack of vendor response and unclear patch status complicate remediation efforts, potentially prolonging exposure. Organizations relying on FlyCMS for content management or administrative tasks should consider the threat serious enough to warrant immediate mitigation to prevent compromise.

European organizations should implement strict input validation and output encoding for the redirectUrl parameter and any other user-controllable inputs within FlyCMS, particularly in the Admin Login component. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor web server and application logs for unusual redirectUrl parameter values or suspicious activity indicative of XSS attempts. Since no official patches are currently available, consider deploying web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting FlyCMS. Educate administrators and users about the risks of clicking on suspicious links that could trigger XSS attacks. If possible, isolate the FlyCMS administrative interface behind VPNs or IP allowlists to reduce exposure. Regularly review FlyCMS updates for any forthcoming patches and apply them promptly once available. Finally, consider alternative CMS solutions if vendor support remains unresponsive.