Description
A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the File Management module of FluentCMS 1.2.3. The flaw allows an authenticated administrator to upload crafted SVG files containing malicious JavaScript code. Once uploaded, the script executes in the browser of any user who accesses the direct URL of the image, including unauthenticated visitors.
Published: 2026-05-12
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in FluentCMS 1.2.3’s File Management module lets an authenticated administrator upload SVG files that embed arbitrary JavaScript. When a user opens the image’s direct URL, the script runs in that user’s browser. The vulnerability is a classic stored XSS that bypasses normal media handling, allowing malicious code to be executed client‑side. The impact is limited to browsers that request the infected image, but because the image can be accessed by anyone—including visitors who have not logged in—the risk applies to all users who view the file.

Affected Systems

FluentCMS version 1.2.3, specifically the File Management module that permits SVG uploads. The issue exists only when the system runs that exact version and an administrator is allowed to upload content.

Risk and Exploitability

Exploitation requires administrative credentials to upload the malicious SVG. Once the file is stored, any viewer of its URL is affected. The CVSS score of 5.4 represents moderate severity, and the lack of an EPSS value or KEV listing suggests no known public exploitation. The stored XSS nature makes the flaw a notable risk because it delivers code directly to client browsers without server‑side filtering.

Generated by OpenCVE AI on May 12, 2026 at 20:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor‑supplied patch that removes the ability to upload or sanitizes SVG files
  • If a patch is unavailable, block SVG uploads by configuring file‑type restrictions or server‑side filtering
  • Implement a content‑security‑policy that blocks inline scripts and limits script origins

Generated by OpenCVE AI on May 12, 2026 at 20:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Stored XSS via SVG Upload in FluentCMS File Management

Tue, 12 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Fluentcms
Fluentcms fluentcms
Vendors & Products Fluentcms
Fluentcms fluentcms

Tue, 12 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Stored XSS via SVG Upload in FluentCMS File Management

Tue, 12 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the File Management module of FluentCMS 1.2.3. The flaw allows an authenticated administrator to upload crafted SVG files containing malicious JavaScript code. Once uploaded, the script executes in the browser of any user who accesses the direct URL of the image, including unauthenticated visitors.
References

Subscriptions

Fluentcms Fluentcms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-12T15:41:34.710Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70842

cve-icon Vulnrichment

Updated: 2026-05-12T15:41:30.913Z

cve-icon NVD

Status : Received

Published: 2026-05-12T15:16:12.163

Modified: 2026-05-12T16:16:12.297

Link: CVE-2025-70842

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:00:13Z

Weaknesses