An issue exists in Navigate CMS up to and including 2.8.7. It allows XSS because of a lack of purify calls in lib/packages/structure/structure.class.php.
naviwebs navigate cms