CVE-2018-25157
MEDIUMPhraseanet 4.0.3 - XSS
Title source: llmDescription
Phraseanet 4.0.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through crafted file names during document uploads. Attackers can upload files with embedded SVG scripts that execute in the browser, potentially stealing cookies or redirecting users when the file is viewed.
Exploits (1)
exploitdb
WORKING POC
by Krzysztof Szulski · textwebappsmultiple
https://www.exploit-db.com/exploits/46935
Scores
CVSS v3
6.4
EPSS
0.0004
EPSS Percentile
10.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
phraseanet/phraseanet
Packagist
Phraseanet/Phraseanet DAM Open Source
<= 4.0.3
Phraseanet/Phraseanet DAM Open Source
4.0.4-dev
Published
Feb 11, 2026
Tracked Since
Feb 18, 2026