CVE-2025-15549
Stored XSS in FluentCMS 2026 File Management via SVG Upload
Publication date: 2026-01-29
Last updated on: 2026-03-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fluentcms | fluentcms | to 0.0.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue in FluentCMS's File Management module. Authenticated administrators can upload SVG files that contain embedded malicious JavaScript. These files are stored publicly and served without proper security headers, so when any user accesses the uploaded SVG file URL, the malicious JavaScript executes in their browser. This happens because the application does not properly sanitize SVG uploads. [1]
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute unauthorized actions in the context of users visiting the uploaded SVG file URL. This includes manipulating the user interface, redirecting users to malicious websites, or performing other malicious activities in the victim's browser. Both authenticated and unauthenticated users can be affected when they access the malicious SVG file. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of SVG files uploaded via the FluentCMS File Management module that contain embedded JavaScript code. One approach is to log into the FluentCMS admin panel and review uploaded SVG files for suspicious script tags or JavaScript content. Additionally, you can scan the publicly accessible directories where SVG files are stored for files containing <script> tags or JavaScript event handlers. For example, you might use commands like 'grep -r "<script" /path/to/svg/uploads' on the server to find SVG files containing scripts. Also, monitoring HTTP requests to SVG files and inspecting responses for embedded JavaScript can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting the ability to upload SVG files to trusted administrators only, if not already restricted. Implement input validation and sanitization to remove any embedded JavaScript from SVG files before allowing uploads. Additionally, configure the web server to serve SVG files with restrictive security headers such as Content-Security-Policy to prevent script execution. Removing or quarantining any existing SVG files that contain embedded JavaScript is also recommended. Finally, coordinate with the FluentCMS development team for patches or updates addressing this vulnerability. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.