Fluentcms
Monthly
Cross-site scripting in FluentCMS 0.0.5 allows a remote, highly-privileged attacker to inject malicious JavaScript via the /admin/blocks endpoint of the Blocks Plugin. The attack requires high privileges (admin-level authentication) and victim user interaction, constraining real-world impact significantly - the CVSS base score of 2.4 reflects this narrow exploitation surface. A publicly available proof-of-concept exists per HackMD, and the vendor has not responded to disclosure, leaving no official patch in place. No public exploit identified at time of analysis as reaching CISA KEV status.
FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. [CVSS 4.8 MEDIUM]
Cross-site scripting in FluentCMS 0.0.5 allows a remote, highly-privileged attacker to inject malicious JavaScript via the /admin/blocks endpoint of the Blocks Plugin. The attack requires high privileges (admin-level authentication) and victim user interaction, constraining real-world impact significantly - the CVSS base score of 2.4 reflects this narrow exploitation surface. A publicly available proof-of-concept exists per HackMD, and the vendor has not responded to disclosure, leaving no official patch in place. No public exploit identified at time of analysis as reaching CISA KEV status.
FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. [CVSS 4.8 MEDIUM]