Skip to content

Cross-site scripting (XSS) via SVG image upload #2404

New issue
New issue
Open
#2407
Open
Cross-site scripting (XSS) via SVG image upload#2404
#2407
Assignees
pournasseriancopilot-swe-agent
Labels
bugSomething isn't working
@jaroslaw-wawiorko

Description

@jaroslaw-wawiorko
jaroslaw-wawiorko
opened on Jan 1, 2026

Description

Overview

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the File Management module of FluentCMS. The vulnerability allows an authenticated administrator to upload SVG files containing malicious JavaScript code. This code is executed in the user's browser whenever the URL of the uploaded image is accessed.

Details

The application allows authenticated administrators to upload SVG files via the File Management module without proper sanitization. Since SVG files can contain embedded JavaScript, the malicious code executes automatically when the image is rendered in a browser. Because files are stored in a public directory and served without restrictive security headers, the XSS executes for any user accessing the file URL, including unauthenticated visitors.

PoC

To replicate this vulnerability:

  1. Log in to the FluentCMS admin panel.
Image
  1. Navigate to File Management
Image
  1. Upload SVG file
Image Image
  1. Path to file in request
Image
  1. Observe that the JavaScript code executes in the browser.
Image

Impact

This could lead to unauthorized actions, UI manipulation, or redirecting users to malicious external websites.

Note

This public disclosure is being made after coordinating with the team

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions