CVE-2023-53884

MEDIUM

Webedition CMS 2.9.8.8 - Authenticated Stored Cross-Site Scripting via SVG Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53884. PoCs published by Mirabbas Ağalarov.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Webedition CMS v2.9.8.8 by uploading a malicious SVG file containing JavaScript code. The SVG file, when rendered, executes the embedded script, leading to arbitrary JavaScript execution in the context of the victim's session.

Description

Webedition CMS v2.9.8.8 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the media upload feature to inject and execute arbitrary scripts when the file is viewed by other users.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Mirabbas Ağalarov · textwebappsphp
https://www.exploit-db.com/exploits/51662

This exploit demonstrates a stored XSS vulnerability in Webedition CMS v2.9.8.8 by uploading a malicious SVG file containing JavaScript code. The SVG file, when rendered, executes the embedded script, leading to arbitrary JavaScript execution in the context of the victim's session.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Webedition CMS v2.9.8.8
Auth required
Prerequisites: Valid credentials to access the Webedition CMS admin panel · Ability to upload files
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 5.4
EPSS 0.0003
EPSS Percentile 8.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
Webedition/Webedition CMS 2.9.8.8
webedition/webedition_cms 2.9.8.8
Published Dec 15, 2025
Tracked Since Feb 18, 2026