6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66026

GHSA ID

GHSA-x6vr-q3vf-vqgq

EPSS Score

CWE

CWE-79

Published

11/25/2025

Updated

11/25/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66026

CVE-2025-66026: REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]

Summary

A reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in.

Details

Control Flow:

redaxo/src/addons/mediapool/pages/index.php reads args via rex_request('args', 'array') and passes them through as $argUrl to media.list.php.
redaxo/src/addons/mediapool/pages/media.list.php injects $argUrl['args']['types'] into an HTML string without escaping:

if (!empty($argUrl['args']['types'])) {
    echo rex_view::info(rex_i18n::msg('pool_file_filter') . ' <code>' . $argUrl['args']['types'] . '</code>');
}

PoC

Log into the REDAXO backend.
While authenticated, open a crafted URL like: <host>/index.php?page=mediapool/media&args[types]="><img+src%3Dx+onerror%3Dalert%28document.domain%29>
The info banner displays the unescaped value and activates the injected onerror handler, which opens an alert pop-up.

Impact

Arbitrary JavaScript execution in the backend, enabling theft of session cookies, CSRF tokens, or other sensitive data, and allowing an attacker to perform any administrative actions on behalf of the affected user.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66026

CVE-2025-66026:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66026

GHSA ID

GHSA-x6vr-q3vf-vqgq

EPSS Score

CWE

CWE-79

Published

11/25/2025

Updated

11/25/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
redaxo/source	composer	< 5.20.1	5.20.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the security advisory and the associated commit 58929062312cf03e344ab04067a365e6b6ee66aa reveals a primary reflected XSS vulnerability and two other potential XSS vulnerabilities that were fixed in the same patch. The main vulnerability, as described in the advisory, is located in redaxo/src/addons/mediapool/pages/media.list.php. This script directly includes the args[types] request parameter in its output without proper escaping. The patch confirms this by adding rex_escape() to the variable. Since this code is in the global scope of the PHP script, it's not contained within a specific function, so the vulnerable component is the script itself. During exploitation, a profiler would show execution within this file. Additionally, the patch addresses similar escaping issues in redaxo/src/addons/mediapool/lib/service_media.php. The functions rex_media_service::addMedia and rex_media_service::updateMedia were found to construct error messages with unescaped user-controllable data (file extensions and types). Although not the primary reported vulnerability, these could also lead to XSS if the error messages are displayed to the user. The patch proactively adds rex_escape() in these locations as well.

Vulnerable functions

media.list.php

redaxo/src/addons/mediapool/pages/media.list.php

The vulnerability exists in the global scope of the 'media.list.php' script, not within a specific function. The script directly renders the 'args[types]' request parameter without any HTML escaping, leading to a reflected XSS. The patch remediates this by adding the 'rex_escape' function to sanitize the output.

rex_media_service::addMedia

redaxo/src/addons/mediapool/lib/service_media.php

The 'addMedia' function constructs an error message with a file extension from user-provided data. This data was not escaped prior to the patch, which could lead to a cross-site scripting vulnerability if the error message is rendered in a web browser. The patch mitigates this by using 'rex_escape' to sanitize the file extension.

rex_media_service::updateMedia

redaxo/src/addons/mediapool/lib/service_media.php

The 'updateMedia' function creates an error message that includes the new file extension and file type, which can be influenced by user input. The lack of escaping on these values created a potential XSS vulnerability. The fix applies 'rex_escape' to sanitize these values before they are included in the error message.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66026: REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]

Summary

Details

PoC

Impact

CVE-2025-66026:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-66026: REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]

Summary

Details

PoC

Impact

6.1

6.1

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI