CVE-2017-9516
MEDIUMCraft CMS < 2.6.2982 - Stored Cross-Site Scripting via SVG File Upload
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2017-9516. PoCs published by Ahsan Tahir.
AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in Craft CMS 2.6 via unrestricted SVG file upload. The SVG file contains embedded JavaScript that executes when accessed, allowing session hijacking or phishing attacks.
Description
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
Exploits (1)
exploitdb
WORKING POC
by Ahsan Tahir · textwebappsphp
https://www.exploit-db.com/exploits/42143
This exploit demonstrates a persistent XSS vulnerability in Craft CMS 2.6 via unrestricted SVG file upload. The SVG file contains embedded JavaScript that executes when accessed, allowing session hijacking or phishing attacks.
Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target:
Craft CMS 2.6
Auth required
Prerequisites:
Low-privileged editor account · Ability to upload SVG files
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://packetstormsecurity.com/files/142851/Craft-CMS-2.6-Cross-Site-Scripting-File-Upload.html
Press/Media Coverage, Third Party Advisory x_refsource_misc
https://twitter.com/CraftCMS/status/872599894912937984
Release Notes, Vendor Advisory x_refsource_misc
https://craftcms.com/changelog#2-6-2982
Exploit, Third Party Advisory exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/42143/
Scores
CVSS v3
5.4
EPSS
0.0231
EPSS Percentile
81.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
craftcms/cms
0 - 2.6.2982Packagist
craftcms/craft_cms
< 2.6.2981
Published
Jun 08, 2017
Tracked Since
Feb 18, 2026