Skip to main content

FluentCMS EUVDEUVD-2025-209787

| CVE-2025-70842 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-12 mitre GHSA-7m9c-h5vv-88gq
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
May 12, 2026 - 17:46 vuln.today
Analysis Generated
May 12, 2026 - 17:46 vuln.today
CVSS changed
May 12, 2026 - 16:22 NVD
5.4 (MEDIUM)
CVE Published
May 12, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 12, 2026 - 00:00 nvd
MEDIUM 5.4

DescriptionCVE.org

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the File Management module of FluentCMS 1.2.3. The flaw allows an authenticated administrator to upload crafted SVG files containing malicious JavaScript code. Once uploaded, the script executes in the browser of any user who accesses the direct URL of the image, including unauthenticated visitors.

AnalysisAI

Stored cross-site scripting (XSS) in FluentCMS 1.2.3 File Management module allows authenticated administrators to upload SVG files with embedded malicious JavaScript that executes when any user-including unauthenticated visitors-accesses the image URL directly. The vulnerability has public proof-of-concept code available via GitHub pull request, and CISA SSVC framework confirms exploitability is feasible but requires user interaction and is not automatable. CVSS 5.4 reflects the attack complexity introduced by authentication requirement and user interaction, but the cross-origin scope and ability to affect multiple users elevates real-world risk.

Technical ContextAI

The vulnerability exists in the File Management module's FileService.cs, which processes uploaded SVG files. SVG is an XML-based vector image format that supports embedded JavaScript via <script> tags and event handlers (onload, onclick, etc.). The original code failed to sanitize SVG content before persistence, allowing authenticated administrators to upload payloads that execute in-browser when served to other users. The fix involves XML parsing with DTD protection (XmlReaderSettings with DtdProcessing.Prohibit) and removal of dangerous elements (<script>, <foreignObject>) and event-handler attributes. The root cause is improper input validation and insufficient output encoding for XML-embedded scripts, classified as CWE-79 (Cross-site Scripting). CPE data indicates the vulnerability affects FluentCMS but exact version metadata is incomplete in available sources.

RemediationAI

Upgrade FluentCMS to the version containing GitHub pull request 2407 (likely 1.2.4 or later; verify with vendor release notes at https://github.com/fluentcms/FluentCMS/releases). The upstream fix sanitizes SVG files by parsing with XML security hardening (DTD processing disabled), removing dangerous elements (<script>, <foreignObject>), and stripping event-handler attributes and javascript:/vbscript:/data: scheme URLs. If immediate upgrade is not possible, implement compensating controls: disable SVG upload entirely via file extension whitelist (restrict to PNG, JPG, GIF only), or implement server-side Content Security Policy (CSP) headers with img-src 'self' and script-src that blocks inline scripts-though CSP will not prevent the XSS if images are served with unsafe CSP directives. Another control is to serve all user-uploaded content from a separate domain (subdomain or external CDN) with no access to session cookies (set Secure; SameSite=None on admin session cookies), limiting XSS scope. These workarounds reduce functionality and usability; patching is the definitive fix.

Share

EUVD-2025-209787 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy