关键信息 CVE-ID: CVE-2025-50592 Product: SoaCMS webapp Version: <=13.2 Problem Type: Cross Site Scripting (XSS) Date Published: 2025-05-05 Description Attackers exploiting this vulnerability in SoaCMS versions <=13.2 can conduct reflected cross-site scripting (XSS) attacks, forcing authenticated victims to execute arbitrary JavaScript code. Vulnerability Reproduction After deploying the SoaCMS (v13.2) web application, the parameter is identified in the route , which is transmitted via a GET request. Payload Example Analysis The payload was delivered but failed to detonate; the JavaScript alert never popped. Runtime debugging exposed a global input sanitizer that partially bypassed it, causing source code leakage. Only a tag is required to close the context, after which arbitrary JavaScript code can be executed. Conclusion Vulnerability reproduction and root-cause analysis completed.