CVE-2020-12882
MEDIUMSubmitty <= 20.04.01 - Cross-Site Scripting via SVG Upload
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2020-12882. PoCs published by humblelad.
AI-analyzed exploit summary This is a writeup describing a persistent XSS vulnerability in Submitty 20.04.01 via SVG file upload. It outlines the steps to exploit the vulnerability but does not include actual exploit code.
Description
Submitty through 20.04.01 allows XSS via upload of an SVG document, as demonstrated by an attack by a Student against a Teaching Fellow.
Exploits (1)
exploitdb
WRITEUP
by humblelad · textwebappsphp
https://www.exploit-db.com/exploits/48488
This is a writeup describing a persistent XSS vulnerability in Submitty 20.04.01 via SVG file upload. It outlines the steps to exploit the vulnerability but does not include actual exploit code.
Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target:
Submitty 20.04.01
Auth required
Prerequisites:
Student account credentials · Access to a gradeable submission page
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://github.com/Submitty/Submitty/issues/5266
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/157756/Submitty-20.04.01-Cross-Site-Scripting.html
Scores
CVSS v3
5.4
EPSS
0.0120
EPSS Percentile
64.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
rcos/submitty
< 20.04.01
Published
May 15, 2020
Tracked Since
Feb 18, 2026