FluentCMS Stored XSS via SVG Upload in File Management (CVE-2025-15549)

Author: Beatriz Fresno Naumova (beafn28), Jarosław Wawiórko

Date: 29/01/2026

Vendor: FluentCMS

Product: FluentCMS

Versions affected: ≤ 0.0.5

Component: File Management module (SVG upload handling)

CWE: CWE-79 – Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting)

Attack type: Remote (authenticated)

Impact: Stored Cross-Site Scripting (XSS)

Description

FluentCMS versions up to and including 0.0.5 are affected by a stored Cross-Site Scripting (XSS) vulnerability in the File Management module.

The application allows authenticated administrators to upload SVG files without proper sanitization. Since SVG files can contain embedded JavaScript, a malicious administrator can upload a crafted SVG file containing arbitrary JavaScript code.

Because uploaded files are stored in a publicly accessible directory and served without restrictive security headers, the malicious JavaScript is executed in the browser of any user who accesses the uploaded file URL, including unauthenticated visitors.

Impact

Primary impact

Execution of arbitrary JavaScript in the browser context of users accessing the malicious SVG file.

Consequences

Execution of attacker-controlled JavaScript
User interface manipulation
Redirection to malicious external websites
Potential session compromise depending on browser context

CVSS Details

CVSS v4.0 Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Base Score: 4.8 (Medium)

Solution

At the time of disclosure, no official fix was available.

Recommendation

Disallow SVG uploads or strictly sanitize SVG content before storage.
Remove or neutralize embedded JavaScript within uploaded files.
Serve uploaded files with restrictive security headers (e.g., Content-Security-Policy).
Restrict public access to uploaded files when possible.

Mitigation

Validate file types beyond extension checks.
Sanitize SVG files using a secure SVG sanitizer.
Serve user-uploaded files from a separate domain.
Perform regular security reviews of file upload functionality.

Discoverer

Jarosław Wawiórko
Beatriz Fresno Naumova (beafn28)

References

CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-15549
VulnCheck: https://www.vulncheck.com/advisories/fluentcms-2026-stored-xss-via-svg-upload-in-file-management
FluentCMS: https://github.com/fluentcms/FluentCMS/

Previousbirkir prime GraphQL GET-Based CSRF (CVE-2025-15550)

Last updated 5 minutes ago

hashtagDescription

hashtagImpact

hashtagPrimary impact

hashtagConsequences

hashtagCVSS Details

hashtagCVSS v4.0 Vector

hashtagSolution

hashtagRecommendation

hashtagMitigation

hashtagDiscoverer

hashtagReferences