CVE-2026-27621
Received Received - Intake
Stored XSS in TypiCMS File Upload Module Allows Session Hijack

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
TypiCMS is a multilingual content management system based on the Laravel framework. A Stored Cross-Site Scripting (XSS) vulnerability exists in the file upload module of TypiCMS prior to version 16.1.7. The application allows users with file upload permissions to upload SVG files. While there is a MIME type validation, the content of the SVG file is not sanitized. An attacker can upload a specially crafted SVG file containing malicious JavaScript code. When another user (such as an administrator) views or accesses this file through the application, the script executes in their browser, leading to a compromise of that user's session. The issue is exacerbated by a bug in the SVG parsing logic, which can cause a 500 error if the uploaded SVG does not contain a `viewBox` attribute. However, this does not mitigate the XSS vulnerability, as an attacker can easily include a valid `viewBox` attribute in their malicious payload. Version 16.1.7 of TypiCMS Core fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27621
EUVD
EUVD-2026-8598
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
typicms typicms to 16.1.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27621 is a Stored Cross-Site Scripting (XSS) vulnerability in TypiCMS versions prior to 16.1.7, specifically in the file upload module.

TypiCMS allows users with file upload permissions to upload SVG files with MIME type validation but does not sanitize the SVG content. An attacker can upload a specially crafted SVG file containing malicious JavaScript code.

When another user, such as an administrator, accesses the uploaded SVG file through the application, the embedded script executes in their browser, potentially compromising their session.

Additionally, a bug in the SVG parsing logic causes a 500 error if the SVG lacks a viewBox attribute, but attackers can easily include a valid viewBox to bypass this.

The vulnerability is fixed in TypiCMS version 16.1.7 by sanitizing SVG content during upload.

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows execution of arbitrary JavaScript in the victim user's browser context when they access a malicious SVG file."}, {'type': 'list_item', 'content': 'Attackers can perform authenticated actions on behalf of the victim, such as creating admin accounts, changing credentials, deleting or modifying content, and exfiltrating sensitive data.'}, {'type': 'list_item', 'content': 'The attacker can manipulate the admin user interface for phishing, capture keystrokes, and fully compromise the application.'}, {'type': 'list_item', 'content': 'Although HttpOnly cookies prevent direct theft of session cookies via JavaScript, the attacker can still hijack sessions through other means.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying uploaded SVG files that may contain malicious JavaScript code. Since the vulnerability involves stored SVG files with embedded scripts, detection involves inspecting SVG files uploaded through the TypiCMS file upload module.'}, {'type': 'paragraph', 'content': 'You can look for SVG files in the publicly accessible upload directories and check for the presence of <script> tags or suspicious event handler attributes (such as onload, onclick) inside these SVG files.'}, {'type': 'paragraph', 'content': 'Example commands to detect potentially malicious SVG files on the server filesystem include:'}, {'type': 'list_item', 'content': "Find all SVG files: `find /path/to/typicms/uploads -type f -name '*.svg'`"}, {'type': 'list_item', 'content': "Search for <script> tags inside SVG files: `grep -ril '<script' /path/to/typicms/uploads/*.svg`"}, {'type': 'list_item', 'content': "Search for event handler attributes (e.g., onload) inside SVG files: `grep -ril 'onload=' /path/to/typicms/uploads/*.svg`"}, {'type': 'paragraph', 'content': 'Additionally, monitoring HTTP access logs for requests to SVG files and analyzing the content served can help detect exploitation attempts.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include sanitizing SVG files upon upload to remove any embedded JavaScript or dangerous elements.'}, {'type': 'paragraph', 'content': 'Specifically, you should:'}, {'type': 'list_item', 'content': 'Apply the update to TypiCMS version 16.1.7 or later, which includes SVG sanitization during file upload.'}, {'type': 'list_item', 'content': "If immediate upgrade is not possible, disable SVG uploads by removing 'svg' from the allowed MIME types in the file upload validation."}, {'type': 'list_item', 'content': 'Implement strict Content-Security-Policy (CSP) headers to prevent execution of inline scripts.'}, {'type': 'list_item', 'content': 'Serve user-uploaded files from a separate, cookie-less domain to isolate user content from the main application.'}, {'type': 'paragraph', 'content': "These steps reduce the risk of malicious SVG files executing scripts in users' browsers and help protect administrative sessions."}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27621. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart