CVE-2025-50481: Mezzanine CMS vulnerable to Cross-site Scripting

The vulnerability is a stored Cross-Site Scripting (XSS) in Mezzanine CMS. The analysis started by investigating the provided references, particularly the exploit PoC, which confirmed that the vulnerability is triggered when creating a blog post with a malicious title. To pinpoint the vulnerable code, I identified the patched version by looking at the repository tags. The version 6.1.0 was vulnerable, and the next version 6.1.1 contained the fix. By comparing the commits between these two versions, I found a single commit with the message 'fix: [security] fix XSS in admin'. This commit modified the mezzanine/core/views.py file, specifically the displayable_links_js function. The patch introduced the escape function from django.utils.html to sanitize the title attribute of displayable objects. This indicates that the displayable_links_js function was the source of the XSS vulnerability, as it was rendering unescaped user-provided content (the blog post title) in a JavaScript context within the admin panel.