Description
Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code.
Published: 2026-04-28
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: Client‑side Cross‑Site Scripting via uploaded SVG
Action: Apply Update
AI Analysis

Impact

The vulnerability lies in FUEL CMS's asset upload feature, where SVG files are not properly sanitized. A low‑privileged authenticated user can upload a crafted SVG containing malicious code.

Affected Systems

Installations running FUEL CMS version 1.5.2 or earlier are affected. The flaw is present in the asset upload functionality used throughout the admin interface and any pages that display uploaded SVG assets.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate impact. EPSS is not provided, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only a low‑privileged authenticated account that can upload a crafted SVG. The description states that the application fails to sanitize SVG files, but it does not explicitly mention how or whether the malicious script is executed when the file is viewed. Based on typical XSS behavior in web applications, it is inferred that rendering a malicious SVG would execute the embedded script in the viewer’s browser, but this inference is not confirmed by the supplied description.

Generated by OpenCVE AI on April 29, 2026 at 02:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a newer release of FUEL CMS that includes proper SVG sanitization
  • If an upgrade is not feasible, disable the SVG upload feature or restrict uploads to safe file types
  • Implement server‑side validation to strip script tags and other dangerous elements from uploaded SVG files before rendering
  • Deploy a web application firewall to detect and block XSS payloads in file uploads

Generated by OpenCVE AI on April 29, 2026 at 02:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting via Unsanitized SVG Upload in FUEL CMS

Tue, 28 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting via Unsanitized SVG Upload in FUEL CMS

Tue, 28 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Daylightstudio
Daylightstudio fuel Cms
Vendors & Products Daylightstudio
Daylightstudio fuel Cms

Tue, 28 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code.
References

Subscriptions

Daylightstudio Fuel Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-28T17:59:04.934Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38948

cve-icon Vulnrichment

Updated: 2026-04-28T17:58:59.912Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T16:16:13.557

Modified: 2026-04-28T20:13:21.737

Link: CVE-2026-38948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:30:07Z

Weaknesses