CVE-2026-15321
Received Received - Intake

Stored XSS in MyEMS Admin Backend via SVG Component

Vulnerability report for CVE-2026-15321, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulDB

Description

A vulnerability was found in MyEMS up to 6.4.0. The affected element is the function on_post of the file myems-api/core/svg.py of the component Admin Backend. The manipulation of the argument new_values['data'] results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 6.5.0 is sufficient to fix this issue. The patch is identified as 4a97edfbd786c779d0322054833b21ddf54d5b06. It is suggested to upgrade the affected component. The issue report remains open even though there is an official fix for it.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
myems myems to 6.5.0 (exc)
myems myems 6.5.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15321 is a Stored Cross-Site Scripting (XSS) vulnerability found in the MyEMS application up to version 6.4.0. It exists in the function on_post of the file myems-api/core/svg.py within the Admin Backend component. The vulnerability arises because the application allows uploading SVG files without properly sanitizing or filtering the SVG content.

A malicious user with admin privileges can upload an SVG file containing malicious JavaScript code. When other users view or access this SVG, the malicious script executes in their browsers. The current validation only checks basic parameters but does not sanitize the SVG content to remove dangerous elements like scripts or event handlers.

The vulnerability can be exploited remotely and has a public exploit available. The fix involves sanitizing SVG uploads by whitelisting safe tags and attributes and removing harmful code, which was implemented in a significant code change in the svg.py file.

Impact Analysis

This vulnerability can lead to malicious JavaScript code executing in the browsers of users who view the uploaded SVG files. This can result in session cookie theft, allowing attackers to hijack user sessions and potentially take over user accounts.

Because the malicious payload executes in the context of every user's browser session, it can compromise the security and privacy of all users who access the affected SVG content.

The attack can be launched remotely by an attacker with admin privileges who uploads the malicious SVG, making it a serious risk for organizations using vulnerable versions of MyEMS.

Detection Guidance

This vulnerability involves a Stored Cross-Site Scripting (XSS) attack via malicious SVG file uploads in the MyEMS admin backend. Detection involves identifying if malicious SVG files containing JavaScript or unsafe elements have been uploaded.

To detect exploitation attempts or presence of malicious SVG files, you can search for SVG files containing suspicious tags or JavaScript URIs in your system or logs.

  • Use grep or similar tools to scan uploaded SVG files for suspicious content, for example: grep -r -i -E '<script|javascript:|iframe|onload|onerror' /path/to/svg/uploads
  • Check web server or application logs for requests to the vulnerable endpoint (e.g., the on_post function in myems-api/core/svg.py) that include SVG uploads.
  • Monitor for unusual admin backend activity or unexpected SVG file uploads by users with admin privileges.
Mitigation Strategies

The primary and recommended mitigation is to upgrade MyEMS to version 6.5.0 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, restrict or disable SVG file uploads in the admin backend to prevent malicious SVG content from being uploaded.

Implement input validation and sanitization on SVG uploads by using libraries such as bleach to whitelist safe SVG tags and attributes, removing any scripts or event handlers.

Limit admin privileges to trusted users only and monitor for suspicious activity related to SVG uploads.

Compliance Impact

The vulnerability is a Stored Cross-Site Scripting (XSS) issue in the MyEMS application that allows an attacker to execute malicious scripts in the context of other users' browsers, potentially leading to session cookie theft and full account takeover.

Such unauthorized access and potential data breaches could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and prevention of unauthorized access.

However, the provided context does not explicitly discuss the impact of this vulnerability on compliance with these or other regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15321. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart