CVE-2025-57520 – Stored XSS in Decap CMS (<= 3.8.3)

Onurcan Genç

16 Mar 2026 — 1 min read

A stored cross-site scripting (XSS) vulnerability exists in Decap CMS up to version 3.8.3.
The issue affects multiple input fields in the admin interface and is triggered when a privileged user opens the content preview panel of a malicious entry.

Vulnerability Summary

CVE ID: CVE-2025-57520
Type: Stored Cross-Site Scripting (XSS)
Affected Versions: Decap CMS <= 3.8.3
Affected Component: Admin Panel → Content Preview (title, tags, description, body)
Impact: Session hijacking, credential theft, arbitrary JavaScript execution
Discoverer: Onurcan Genç – Independent Security Researcher

Proof of Concept (PoC)

Payload Example

"><img src=x onerror=alert(document.cookie)>

Steps

Login as Contributor/Editor (low privilege).
Create a new blog entry.
Insert the payload into one of the vulnerable fields (e.g., title).
Save the entry.
Login as Admin (high privilege).
Open the entry in Preview.
Payload executes in the admin’s browser context.

Screenshot

Vulnerable fields

Admin opens preview → payload executes:

Impact

Stored XSS in multiple fields (title, tags, description, body)
Arbitrary JavaScript execution in admin/editor sessions
Can lead to:
- Session hijacking
- Credential theft
- Content defacement
- Backdoor injection into generated websites

References

Blog Advisory: Decap CMS XSS Analysis
CVE Record: CVE-2025-57520
Decap CMS GitHub: decaporg/decap-cms

HTB Bastion: Mounting Secrets from the Past

Add the target machine IP to /etc/hosts to bind it to a domain name. This makes it easier to reference the target without memorizing the IP address. nano /etc/hosts Check whether the target is accessible via the ping command. Sending only 4 ICMP requests is sufficient; otherwise, it

HTB Valentine: Heartbleed to Root via tmux Session Hijack

Begin by adding the target machine IP to /etc/hosts. nano /etc/hosts sudo nmap -sV -sC valentine.htb I also conducted an NSE script scan against the vulnerable target. sudo nmap -sV --script=vuln valentine.htb --max-rate=10000 Meanwhile, directory fuzzing also proved useful. dirsearch -u http://valentine.htb

HTB Curling: Joomla RCE to Curl Config File Abuse

Begin with binding machine IP to custom domain. Conduct port scanning sudo nmap -sV -sC curling.htb Let's check Joomla: There were nothing valuable in this page. I also conducted a port scan with --script=vuln NSE engine. sudo nmap -sV --script=vuln --max-rate=10000 curling.htb It

CVE-2026-34156: VM Sandbox Escape to RCE in NocoBase

I discovered a critical vulnerability (CVSS3.1 10.0) in NocoBase's Workflow Script Node that allows an authenticated attacker to escape the Node.js vm sandbox and achieve Remote Code Execution as root with a single HTTP request. * CVE: CVE-2026-34156 * Advisory: GHSA-px3p-vgh9-m57c * Severity: Critical: CVSS:3.1 10.