CVE-2025-15094 identifies a cross-site scripting (XSS) vulnerability in FlyCMS, specifically in the userLogin function within the UserController.java file. The vulnerability is triggered by manipulation of the redirectUrl argument, which is not properly sanitized or encoded before being reflected in the web response. This flaw allows remote attackers to inject arbitrary JavaScript code that executes in the context of the victim’s browser when they interact with a crafted URL. The vulnerability does not require authentication or privileges, making it accessible to unauthenticated attackers. The vulnerability is classified as reflected XSS, which typically requires user interaction such as clicking a malicious link. The CVSS 4.0 score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, but requiring user interaction and having limited impact on confidentiality and integrity. The vendor sunkaifei has been informed but has not responded or released patches, and FlyCMS does not use versioning, complicating identification of affected versions. Public exploit code is available, increasing the risk of exploitation. The vulnerability could be leveraged to steal session cookies, perform phishing attacks, or redirect users to malicious websites, potentially compromising user accounts and organizational security.

For European organizations, this vulnerability poses a moderate risk primarily to web applications using FlyCMS for content management, especially those exposing login functionality to the internet. Successful exploitation can lead to session hijacking, enabling attackers to impersonate legitimate users, potentially accessing sensitive data or administrative functions. It can also facilitate phishing attacks by redirecting users to malicious sites, undermining user trust and potentially leading to credential theft. The lack of vendor response and absence of patches increases exposure time. Organizations in sectors with high regulatory requirements for data protection, such as finance, healthcare, and government, may face compliance risks if user data is compromised. Additionally, reputational damage and operational disruption could result from successful attacks. While the vulnerability does not directly impact system availability, the indirect effects on integrity and confidentiality can be significant.

European organizations should implement immediate mitigations including input validation and output encoding on the redirectUrl parameter within FlyCMS, ideally by sanitizing inputs to remove or encode potentially malicious characters. Web Application Firewalls (WAFs) should be configured to detect and block suspicious requests containing script payloads in URL parameters. Organizations should monitor web server logs for unusual redirectUrl parameter usage and user reports of suspicious behavior. If possible, disable or restrict the use of redirectUrl parameters in login workflows until a vendor patch is available. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Conduct user awareness training to recognize phishing attempts that may leverage this vulnerability. Finally, consider migrating to alternative CMS platforms with active security maintenance if FlyCMS support remains unresponsive.