CVE-2023-53925

MEDIUM

UliCMS 2023.1 - Stored Cross-Site Scripting via SVG File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53925. PoCs published by Mirabbas Ağalarov.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Ulicms 2023.1-sniffing-vicuna by uploading a malicious SVG file containing JavaScript code. The SVG file, when accessed, executes the embedded script, triggering an alert with the document location.

Description

UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the file management interface that execute arbitrary scripts when viewed by other users.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Mirabbas Ağalarov · textwebappsphp
https://www.exploit-db.com/exploits/51435

This exploit demonstrates a stored XSS vulnerability in Ulicms 2023.1-sniffing-vicuna by uploading a malicious SVG file containing JavaScript code. The SVG file, when accessed, executes the embedded script, triggering an alert with the document location.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Ulicms 2023.1-sniffing-vicuna
Auth required
Prerequisites: Access to the admin panel · Ability to upload files
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 6.1
EPSS 0.0030
EPSS Percentile 21.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
ulicms/ulicms 2023.1
Ulicms/Ulicms 2023.1
Published Dec 17, 2025
Tracked Since Feb 18, 2026