Description
Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint ' https://manage.wix.com/account/account-settings ', responsible for uploading SVG images, does not properly sanitize the content. An authenticated attacker could upload an SVG file containing embedded JavaScript code, which is stored and subsequently executed when other users view the image. Exploiting this vulnerability allows arbitrary code to be executed in the context of the victim's browser, which could lead to the disclosure of sensitive information or the abuse of the affected user's session.
Published: 2026-02-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution via XSS in uploaded SVGs
Action: Assess Impact
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw (CWE‑79) in Wix’s image upload endpoint. An authenticated attacker can upload an SVG file containing embedded JavaScript, which is stored and then executed when other users view the image. This allows the attacker to run arbitrary code in the victim’s browser, potentially revealing sensitive data or hijacking the victim’s session.

Affected Systems

The flaw affects all versions of the Wix web application, specifically the account‑settings image upload feature accessed through https://manage.wix.com/account/account-settings.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while an EPSS score of < 1% suggests a low likelihood of exploitation so far. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authenticated access to the target account to upload the malicious SVG; unprivileged users who view the image become the victims.

Generated by OpenCVE AI on April 18, 2026 at 18:09 UTC.

Remediation

Vendor Solution

No solution has been reported at this time.

OpenCVE Recommended Actions

  • Validate and sanitize SVG uploads to strip or block embedded script blocks and restrict the image to safe types.
  • Enforce least privilege by requiring additional user verification before allowing image uploads and monitor for anomalous upload activity.
  • Apply a web application firewall rule or content security policy to filter out or block malicious script content in uploaded files.

Generated by OpenCVE AI on April 18, 2026 at 18:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 09:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wix:web_application:all_versions:*:*:*:*:*:*:*

Thu, 12 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Wix
Wix web Application
Vendors & Products Wix
Wix web Application

Thu, 12 Feb 2026 10:45:00 +0000

Type Values Removed Values Added
Description Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web application, where the endpoint ' https://manage.wix.com/account/account-settings ', responsible for uploading SVG images, does not properly sanitize the content. An authenticated attacker could upload an SVG file containing embedded JavaScript code, which is stored and subsequently executed when other users view the image. Exploiting this vulnerability allows arbitrary code to be executed in the context of the victim's browser, which could lead to the disclosure of sensitive information or the abuse of the affected user's session.
Title Reflected Cross-Site Scripting in the Wix web application
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wix Web Application
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-02-13T09:10:47.744Z

Reserved: 2026-02-10T13:03:46.213Z

Link: CVE-2026-2276

cve-icon Vulnrichment

Updated: 2026-02-12T14:18:29.775Z

cve-icon NVD

Status : Deferred

Published: 2026-02-12T11:15:50.113

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2276

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:15:06Z

Weaknesses