FluentCMS 2026 Stored XSS via SVG Upload in File Management

4.8 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Description

FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. Attackers can upload malicious SVG files that execute JavaScript in the browser of any user accessing the uploaded file URL.

Basic Information

ID CVE-2025-15549

Source VulnCheck

Published Jan 29, 2026 at 19:41

Modified Jan 29, 2026 at 20:20

Affected Product

Vendor FluentCMS

Product FluentCMS

Affected Versions FluentCMS FluentCMS 0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. Attackers can upload malicious SVG files that execute JavaScript in the browser of any user accessing the uploaded file URL.",
    "published": "2026-01-29T19:41:36.216Z",
    "modified": "2026-01-29T20:20:42.708Z",
    "type": "cve",
    "title": "FluentCMS 2026 Stored XSS via SVG Upload in File Management",
    "source": "VulnCheck",
    "references": "https://github.com/fluentcms/FluentCMS/issues/2404\nhttps://www.vulncheck.com/advisories/fluentcms-stored-xss-via-svg-upload-in-file-management",
    "id": "CVE-2025-15549",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "FluentCMS FluentCMS 0",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "FluentCMS",
    "version": "0",
    "vendor": "FluentCMS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

FluentCMS 2026 Stored XSS via SVG Upload in File Management_CVE-2025-15549