silverstripe/cms is vulnerable to Cross Site Scripting (XSS). The vulnerability is due to improper escaping of HTML input in the textfields of pages referred to by VirtualPage, which allows an attacker inject and execute arbitrary JavaScript in the browser.