CVE-2025-27801

low-risk
Published 2025-07-28

The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser. ContentReference properties, which could be used in the "Edit" section of the CMS, offered an upload functionality for documents. These documents could later be used as displayed content on the page. It was possible to upload SVG files that include malicious JavaScript code that would be executed if a user visited the direct URL of the preview image. Attackers needed at least the role "WebEditor" in order to exploit this issue. Affected products: Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5), Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3)

Do I need to act?

-
0.05% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10 Medium
NETWORK / LOW complexity

References (4)

https://api.nuget.optimizely.com/packages/episerver.cms.core/11.21.4#
https://api.nuget.optimizely.com/packages/episerver.cms.core/12.22.1#
https://r.sec-consult.com/optimizely
http://seclists.org/fulldisclosure/2025/Aug/18
24
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal