Scan free
LOWCVE-2025-13181CVSS 3.5

CVE-2025-13181: XSS in h3blog 1.0

Platform

php

Component

cve-md

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-13181 describes a cross-site scripting (XSS) vulnerability discovered in h3blog version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts or stealing sensitive data. The vulnerability affects versions 1.0 and has been publicly disclosed, indicating a potential for widespread exploitation.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-13181 allows an attacker to inject arbitrary JavaScript code into the h3blog application. This code can then be executed in the context of a user's browser, enabling the attacker to steal session cookies, redirect users to malicious websites, or deface the application. The vulnerability resides in the handling of the 'Name' parameter within the '/admin/cms/material/add' endpoint, making it relatively straightforward to exploit. Given the publicly disclosed nature of the vulnerability, it is likely that automated scanning tools are already identifying and attempting to exploit vulnerable instances.

Exploitation Context

CVE-2025-13181 has been publicly disclosed, indicating a higher probability of exploitation. The vulnerability is confirmed to be exploitable remotely. No specific campaigns or KEV listing are currently known, but the public disclosure increases the risk of opportunistic attacks. The CVSS score of 3.5 (LOW) reflects the relatively low complexity of exploitation and limited impact, but the public availability of the vulnerability warrants immediate attention.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.05% (14% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentcve-md
Vendorpojoin
Affected rangeFixed in
1.0 – 1.01.0.1

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 191 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-13181 is to upgrade to a patched version of h3blog. Since a fixed version is not specified in the provided data, it is crucial to consult the h3blog project's official website or repository for the latest release. As a temporary workaround, input validation and output encoding should be implemented on the 'Name' parameter in the '/admin/cms/material/add' endpoint to prevent the injection of malicious scripts. Web application firewalls (WAFs) can also be configured to block requests containing suspicious payloads targeting this endpoint.

How to fix

Update to a patched version or remove the h3blog component. Verify and sanitize user inputs in the 'Name' field to prevent malicious code injection. Implement additional security measures, such as data escaping, to prevent future XSS attacks.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-13181 — XSS in h3blog 1.0?

CVE-2025-13181 is a cross-site scripting (XSS) vulnerability in h3blog version 1.0, allowing attackers to inject malicious scripts via the 'Name' parameter in the /admin/cms/material/add endpoint.

Am I affected by CVE-2025-13181 in h3blog 1.0?

If you are running h3blog version 1.0, you are potentially affected by this vulnerability. Check your installation and upgrade as soon as possible.

How do I fix CVE-2025-13181 in h3blog 1.0?

Upgrade to the latest patched version of h3blog. Consult the official h3blog project website for release information. Implement input validation and output encoding as a temporary workaround.

Is CVE-2025-13181 being actively exploited?

The vulnerability has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems for suspicious activity.

Where can I find the official h3blog advisory for CVE-2025-13181?

Consult the official h3blog project website or repository for the latest security advisories and updates.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs