Intel

AIKIDO-2026-530137

django-cms is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)GHSA-hvq6-2r72-p2x7 Published Today

44

Medium Risk

This Affects:

PYTHONdjango-cms
5.0.0 - 5.0.8
Fixed in 5.0.9
Are you affected? Scan for Free

TL;DR

When plugin rendering fails in edit mode, ContentRenderer.render_exception in cms/plugin_rendering.py builds the cms-rendering-exception heading by interpolating the exception message, placeholder and source strings, and the plugin's get_short_description() directly into an HTML string, then returns that placeholder output as safe markup. Stored content that reaches those values is parsed as HTML in a staff user's browser when the plugin later raises during edit-mode rendering, producing stored cross-site scripting in the CMS editing context. Enabling DEBUG does not mitigate the issue because the custom heading renders regardless of the traceback HTML. The fix escapes the heading with format_html before returning it as safe markup.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

django-cms is vulnerable to Cross-Site Scripting (XSS) in versions 5.0.0 - 5.0.8.

How to fix this

Upgrade the django-cms library to the patch version.