CVE-2025-61183: VaahCMS is vulnerable to XSS through its Avatar Upload endpoint

October 8, 2025 (updated October 9, 2025)

Cross-Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBase.php

References

github.com/advisories/GHSA-q769-phqg-263r
github.com/thawphone/CVE-2025-61183
github.com/webreinvent/vaahcms
github.com/webreinvent/vaahcms/issues/301
nvd.nist.gov/vuln/detail/CVE-2025-61183

Code Behaviors & Features

Detect and mitigate CVE-2025-61183 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →