CVE-2025-27801 is a Stored Cross-Site Scripting (XSS) vulnerability identified in Optimizely's Episerver Content Management System (CMS) affecting versions 11.x (EPiServer.CMS.Core <11.21.4 with EPiServer.CMS.UI <11.37.5) and 12.x (EPiServer.CMS.Core <12.22.1 with EPiServer.CMS.UI <11.37.3). The vulnerability stems from improper neutralization of input during web page generation (CWE-79). Specifically, the ContentReference properties in the CMS's Edit section allow authenticated users with the WebEditor role to upload documents, including SVG files. SVG files can embed JavaScript code, which is executed when a user accesses the direct URL of the preview image. This stored XSS flaw enables an attacker to execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the CMS interface. The attack vector requires the attacker to have at least WebEditor privileges, meaning exploitation is limited to authenticated users with elevated roles. The vulnerability does not require user interaction beyond visiting the preview image URL. The CVSS 4.0 base score is 4.6, reflecting medium severity due to the requirement for authentication and user interaction, limited scope, and low impact on confidentiality but some impact on integrity and availability. No public exploits or active exploitation in the wild have been reported to date. The vulnerability highlights the risk of insufficient input sanitization for SVG uploads and the need for strict content validation in CMS platforms.

For European organizations using the affected versions of Optimizely Episerver CMS, this vulnerability poses a moderate risk. Attackers with WebEditor access could embed malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, unauthorized content modification, or further lateral movement within the CMS environment. This could compromise the integrity of published content and damage organizational reputation. Since the vulnerability requires authenticated access, the risk is primarily internal or from compromised accounts. However, organizations with large editorial teams or third-party contributors are at higher risk. The impact on availability is limited but could include denial of service if malicious scripts disrupt CMS functionality. Confidentiality impact is low but not negligible if session tokens or sensitive data are exposed. Given the widespread use of Episerver CMS in European public sector, media, and corporate websites, exploitation could affect critical information infrastructure and public-facing services. The vulnerability also raises compliance concerns under GDPR if personal data is exposed or manipulated.

Organizations should immediately upgrade to the fixed versions of Episerver CMS: 11.21.4 or later for 11.x and 12.22.1 or later for 12.x branches once patches are released. Until patches are available, restrict the WebEditor role to trusted personnel only and monitor their activities closely. Implement strict input validation and sanitization on uploaded SVG files, potentially disabling SVG uploads if not essential. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce XSS impact. Conduct regular audits of uploaded content for suspicious files. Enhance authentication mechanisms with multi-factor authentication (MFA) to reduce the risk of compromised accounts. Educate CMS users about phishing and social engineering risks that could lead to credential theft. Monitor web server logs for unusual access patterns to preview URLs. Finally, consider deploying web application firewalls (WAF) with custom rules to detect and block malicious SVG payloads.