Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code.
AnalysisAI
Cross-Site Scripting (XSS) via malicious SVG upload in FUEL CMS v1.5.2 and earlier allows low-privileged authenticated users to execute arbitrary JavaScript in the context of other users' browsers through the asset upload functionality. The vulnerability stems from inadequate sanitization of SVG file contents during upload, enabling attackers with valid credentials to craft weaponized SVG files that execute when viewed by administrators or other site visitors. No active exploitation in CISA KEV confirmed; CVSS 5.4 reflects moderate impact with user interaction requirement.
Technical ContextAI
FUEL CMS is a CodeIgniter-based content management system with an asset management feature that accepts file uploads. SVG (Scalable Vector Graphics) files, while ostensibly image files, are XML-based and can contain embedded JavaScript through event handlers (e.g., onload), script tags, or other executable elements. The vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) indicates the application performs insufficient input validation and output encoding on SVG assets. The asset upload handler fails to strip or neutralize malicious script content from SVG payloads before storing or serving them, allowing the embedded code to execute in the context of users who subsequently access or preview the uploaded asset.
RemediationAI
Upgrade FUEL CMS to a patched version released after v1.5.2; consult the official FUEL CMS GitHub repository (https://github.com/daylightstudio/FUEL-CMS) for the specific fix version. As a temporary compensating control pending patching, disable or restrict access to the asset upload functionality to administrators only, reducing the attack surface by limiting the pool of users who can upload files. Additionally, implement server-side SVG validation by parsing uploaded SVG files and removing or neutralizing executable elements (event handlers, script tags, embedded JavaScript) before storage - tools like DOMPurify (JavaScript) or similar server-side XML sanitizers can achieve this. Apply Content-Security-Policy (CSP) headers prohibiting inline scripts and restricting script-src to trusted sources; this does not prevent SVG upload but mitigates the blast radius if malicious SVGs are served. Trade-off: restricting uploads to administrators may hinder workflow if non-admins legitimately upload assets; SVG sanitization adds processing overhead but is strongly recommended as a permanent solution.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26063