CVE-2025-15094 identifies a cross-site scripting (XSS) vulnerability in FlyCMS, specifically in the userLogin function located in src/main/java/com/flycms/web/front/UserController.java. The vulnerability is triggered by manipulation of the redirectUrl parameter, which is not properly sanitized or validated before being reflected in the application's response. This flaw allows remote attackers to inject arbitrary JavaScript code that executes in the context of the victim's browser when they interact with a crafted URL. The vulnerability requires no authentication and can be exploited remotely, but user interaction is necessary to trigger the malicious script. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity, with attack vector network, low attack complexity, no privileges required, and user interaction needed. The impact primarily affects confidentiality and integrity by enabling session hijacking, credential theft, or phishing attacks. The vendor sunkaifei has been notified but has not responded or issued a patch, and FlyCMS does not use versioning, complicating identification of unaffected versions. The public availability of an exploit increases the risk of exploitation in the wild. This vulnerability highlights the importance of input validation and output encoding in web applications, especially in login workflows where redirect parameters are common.

The vulnerability allows attackers to execute arbitrary JavaScript in the context of users visiting a maliciously crafted URL, potentially leading to session hijacking, theft of sensitive information such as credentials, or redirection to phishing sites. This can undermine user trust and compromise the security of websites running FlyCMS. Since the flaw exists in the login component, successful exploitation could facilitate unauthorized access or persistent attacks against user accounts. Organizations relying on FlyCMS for content management and user authentication face risks of data breaches, reputational damage, and regulatory consequences if user data is compromised. The lack of vendor response and patch availability increases exposure time, raising the likelihood of exploitation. Although no widespread exploitation is currently reported, the public exploit availability means opportunistic attackers could target vulnerable installations. The impact is primarily on confidentiality and integrity, with limited direct availability impact. Overall, this vulnerability poses a moderate risk to organizations using FlyCMS, especially those with high user interaction or sensitive data.

Organizations should immediately implement input validation and output encoding for the redirectUrl parameter to neutralize malicious scripts. If source code modification is possible, sanitize the redirectUrl input by allowing only safe URLs or using a whitelist approach. Employ Content Security Policy (CSP) headers to restrict script execution and reduce XSS impact. Monitor web server logs for suspicious requests containing script payloads targeting redirectUrl. If FlyCMS is deployed behind a web application firewall (WAF), configure rules to detect and block XSS attempts in URL parameters. Educate users to avoid clicking suspicious links and report unusual login page behavior. Since no official patch is available, consider isolating or restricting access to FlyCMS login pages until a fix is released. Regularly check for vendor updates or community patches. Additionally, implement multi-factor authentication (MFA) to mitigate the impact of credential theft resulting from XSS attacks. Finally, conduct security assessments and penetration tests focusing on input validation in FlyCMS installations.