CVE-2026-27621
Stored XSS in TypiCMS File Upload Module Allows Session Hijack
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| typicms | typicms | to 16.1.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27621 is a Stored Cross-Site Scripting (XSS) vulnerability in TypiCMS versions prior to 16.1.7, specifically in the file upload module.
TypiCMS allows users with file upload permissions to upload SVG files with MIME type validation but does not sanitize the SVG content. An attacker can upload a specially crafted SVG file containing malicious JavaScript code.
When another user, such as an administrator, accesses the uploaded SVG file through the application, the embedded script executes in their browser, potentially compromising their session.
Additionally, a bug in the SVG parsing logic causes a 500 error if the SVG lacks a viewBox attribute, but attackers can easily include a valid viewBox to bypass this.
The vulnerability is fixed in TypiCMS version 16.1.7 by sanitizing SVG content during upload.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows execution of arbitrary JavaScript in the victim user's browser context when they access a malicious SVG file."}, {'type': 'list_item', 'content': 'Attackers can perform authenticated actions on behalf of the victim, such as creating admin accounts, changing credentials, deleting or modifying content, and exfiltrating sensitive data.'}, {'type': 'list_item', 'content': 'The attacker can manipulate the admin user interface for phishing, capture keystrokes, and fully compromise the application.'}, {'type': 'list_item', 'content': 'Although HttpOnly cookies prevent direct theft of session cookies via JavaScript, the attacker can still hijack sessions through other means.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying uploaded SVG files that may contain malicious JavaScript code. Since the vulnerability involves stored SVG files with embedded scripts, detection involves inspecting SVG files uploaded through the TypiCMS file upload module.'}, {'type': 'paragraph', 'content': 'You can look for SVG files in the publicly accessible upload directories and check for the presence of <script> tags or suspicious event handler attributes (such as onload, onclick) inside these SVG files.'}, {'type': 'paragraph', 'content': 'Example commands to detect potentially malicious SVG files on the server filesystem include:'}, {'type': 'list_item', 'content': "Find all SVG files: `find /path/to/typicms/uploads -type f -name '*.svg'`"}, {'type': 'list_item', 'content': "Search for <script> tags inside SVG files: `grep -ril '<script' /path/to/typicms/uploads/*.svg`"}, {'type': 'list_item', 'content': "Search for event handler attributes (e.g., onload) inside SVG files: `grep -ril 'onload=' /path/to/typicms/uploads/*.svg`"}, {'type': 'paragraph', 'content': 'Additionally, monitoring HTTP access logs for requests to SVG files and analyzing the content served can help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include sanitizing SVG files upon upload to remove any embedded JavaScript or dangerous elements.'}, {'type': 'paragraph', 'content': 'Specifically, you should:'}, {'type': 'list_item', 'content': 'Apply the update to TypiCMS version 16.1.7 or later, which includes SVG sanitization during file upload.'}, {'type': 'list_item', 'content': "If immediate upgrade is not possible, disable SVG uploads by removing 'svg' from the allowed MIME types in the file upload validation."}, {'type': 'list_item', 'content': 'Implement strict Content-Security-Policy (CSP) headers to prevent execution of inline scripts.'}, {'type': 'list_item', 'content': 'Serve user-uploaded files from a separate, cookie-less domain to isolate user content from the main application.'}, {'type': 'paragraph', 'content': "These steps reduce the risk of malicious SVG files executing scripts in users' browsers and help protect administrative sessions."}] [1, 2]