CVE-2025-15540 | THREATINT

Description

"Functions" module in Raytha CMS allows privileged users to write custom code to add functionality to application. Due to a lack of sandboxing or access restrictions, JavaScript code executed through Raytha’s “functions” feature can instantiate .NET components and perform arbitrary operations within the application’s hosting environment. This issue was fixed in version 1.4.6.

PUBLISHED Reserved 2026-01-19 | Published 2026-03-16 | Updated 2026-03-16 | Assigner CERT-PL

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status

unaffected

Any version before 1.4.6

affected

Credits

Daniel Basta finder

References

cert.pl/en/posts/2026/03/CVE-2025-69236 third-party-advisory

raytha.com product

cve.org (CVE-2025-15540)

nvd.nist.gov (CVE-2025-15540)

Download JSON