CVE-2025-15549
Unknown Unknown - Not Provided
Stored XSS in FluentCMS 2026 File Management via SVG Upload

Publication date: 2026-01-29

Last updated on: 2026-03-10

Assigner: VulnCheck

Description
FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. Attackers can upload malicious SVG files that execute JavaScript in the browser of any user accessing the uploaded file URL.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15549
EUVD
EUVD-2025-206518
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fluentcms fluentcms to 0.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in FluentCMS's File Management module. Authenticated administrators can upload SVG files that contain embedded malicious JavaScript. These files are stored publicly and served without proper security headers, so when any user accesses the uploaded SVG file URL, the malicious JavaScript executes in their browser. This happens because the application does not properly sanitize SVG uploads. [1]

Impact Analysis

The vulnerability can allow attackers to execute unauthorized actions in the context of users visiting the uploaded SVG file URL. This includes manipulating the user interface, redirecting users to malicious websites, or performing other malicious activities in the victim's browser. Both authenticated and unauthenticated users can be affected when they access the malicious SVG file. [1]

Detection Guidance

This vulnerability can be detected by checking for the presence of SVG files uploaded via the FluentCMS File Management module that contain embedded JavaScript code. One approach is to log into the FluentCMS admin panel and review uploaded SVG files for suspicious script tags or JavaScript content. Additionally, you can scan the publicly accessible directories where SVG files are stored for files containing <script> tags or JavaScript event handlers. For example, you might use commands like 'grep -r "<script" /path/to/svg/uploads' on the server to find SVG files containing scripts. Also, monitoring HTTP requests to SVG files and inspecting responses for embedded JavaScript can help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include restricting the ability to upload SVG files to trusted administrators only, if not already restricted. Implement input validation and sanitization to remove any embedded JavaScript from SVG files before allowing uploads. Additionally, configure the web server to serve SVG files with restrictive security headers such as Content-Security-Policy to prevent script execution. Removing or quarantining any existing SVG files that contain embedded JavaScript is also recommended. Finally, coordinate with the FluentCMS development team for patches or updates addressing this vulnerability. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15549. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart