Vulnerabilities in Raytha software

CERT Polska disclosed multiple vulnerabilities in Raytha CMS (several CVEs published 16 March 2026) affecting versions before 1.4.6 (one issue fixed in 1.5.0). Issues include a dangerous code-injection capability in the Functions module (allowing instantiation of .NET components), multiple stored/reflected XSS flaws, CSRF, SSRF in theme import, host-header spoofing enabling password-reset token capture (account takeover), user enumeration, and no brute-force protections; patches have been released.