1.0.1
CVE-2025-13182 describes a cross-site scripting (XSS) vulnerability affecting pojoin h3blog version 1.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides within the Title argument of the /admin/cms/category/addtitle file. A public proof-of-concept is available, indicating a heightened risk of exploitation.
Successful exploitation of CVE-2025-13182 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including stealing session cookies, redirecting users to phishing sites, or modifying the content displayed on the h3blog platform. Given the administrative nature of the affected file (/admin/cms/category/addtitle), an attacker who gains access could potentially compromise the entire h3blog instance and its associated data. The availability of a public proof-of-concept significantly lowers the barrier to entry for attackers.
CVE-2025-13182 has been publicly disclosed and a proof-of-concept is available, indicating a moderate risk of exploitation. The vulnerability was published on 2025-11-14. The LOW CVSS score reflects the relatively simple exploitation path and potential impact, but the public PoC elevates the risk. No KEV listing or confirmed exploitation campaigns are currently known.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13182 is to upgrade to a patched version of pojoin h3blog. Since no fixed version is specified, it's crucial to consult the vendor's official advisory for the latest release. As a temporary workaround, implement strict input validation and output encoding on the Title field within /admin/cms/category/addtitle. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review and update WAF rules to ensure they are effective against emerging XSS techniques.
Update to a patched version or apply the necessary security measures to prevent code injection (XSS) in the Title field when adding a category.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13182 is a cross-site scripting (XSS) vulnerability in pojoin h3blog version 1.0, allowing attackers to inject malicious scripts via the Title argument in /admin/cms/category/addtitle.
If you are using pojoin h3blog version 1.0, you are potentially affected by this vulnerability. Upgrade to the latest version as soon as possible.
Upgrade to a patched version of pojoin h3blog. Consult the vendor's official advisory for the latest release. Implement input validation and output encoding as a temporary workaround.
A public proof-of-concept exists, suggesting a potential for active exploitation. Monitor your systems for suspicious activity.
Consult the pojoin website or security mailing lists for the official advisory regarding CVE-2025-13182.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.