CVE-2025-60869 is a persistent Cross-Site Scripting (XSS) vulnerability identified in Publii CMS version 0.46.5 (build 17089). The vulnerability stems from insufficient input sanitization in configuration fields such as 'Site Description' and 'Footer Follow Buttons'. Attackers with low-level privileges can inject arbitrary JavaScript code into these fields, which is then stored within the static site project files generated by Publii CMS. When remote users visit the affected static site, the malicious script executes in their browsers, potentially leading to theft of sensitive information such as cookies, session tokens, or other data accessible via the browser context. This type of persistent XSS is particularly dangerous because the malicious payload is served directly from the trusted domain, increasing the likelihood of successful exploitation. The CVSS 3.1 base score of 7.3 reflects high impact on confidentiality and integrity, with low attack complexity and no requirement for authentication to trigger the vulnerability, though user interaction (visiting the site) is necessary. No public exploits have been reported yet, but the vulnerability's nature makes it a significant risk for websites using Publii CMS for static content delivery. The vulnerability was reserved on 2025-09-26 and published on 2025-10-10, indicating recent discovery and disclosure. The lack of available patches or mitigation links suggests that organizations must proactively implement workarounds or updates once available.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of data accessed via websites built with Publii CMS. Attackers could exploit this flaw to execute malicious scripts in the browsers of site visitors, potentially leading to credential theft, session hijacking, or distribution of malware. This can damage user trust, lead to regulatory non-compliance (e.g., GDPR breaches if personal data is compromised), and cause reputational harm. Since Publii CMS is used for static site generation, the attack surface includes any public-facing websites managed with this CMS, which may be used by SMEs, bloggers, or organizations preferring static site architectures. The persistent nature of the XSS means that once injected, the malicious code remains until the configuration is sanitized or the vulnerability is patched, increasing exposure duration. The requirement for low privileges to inject the payload means insider threats or compromised low-level accounts could facilitate exploitation. The lack of known exploits in the wild provides a window for mitigation, but also means organizations should act swiftly to prevent future attacks.

European organizations should immediately audit their use of Publii CMS, specifically version 0.46.5 or earlier, to identify if vulnerable configurations exist. Until an official patch is released, administrators should avoid entering untrusted input into configuration fields like 'Site Description' and 'Footer Follow Buttons'. Implement manual sanitization of these fields by stripping or encoding potentially dangerous characters before saving. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of injected JavaScript. Regularly review and sanitize existing configuration data to remove any malicious payloads. Monitor web server logs and user reports for suspicious activity indicative of XSS exploitation. Consider isolating or temporarily disabling vulnerable site features if feasible. Once a patch or update is available from Publii CMS, apply it promptly. Additionally, educate content managers and administrators about the risks of injecting untrusted content into configuration fields. Employ automated scanning tools that detect XSS vulnerabilities in static site content as part of the deployment pipeline.