I found a sXss vulnerability in the latest version of LavaLite CMS：
Users can create a malicious Blog Tittle that triggers malicious code when an administrator accesses the blog admin panel.

Exp:

<iframe src="javascript:alert(1)">test</iframe>
#or
<a href="javascript:alert(1)">test</a>

Poc:

Triggered when an administrator visits the blog admin page:

Affect：

Without httponly set, an attacker can steal the identity of an administrator or execute other malicious code.