CVE-2025-47778
MEDIUMSulu 2.5.21-2.5.24, 2.6.5-2.6.8, 3.0.0-alpha1-3.0.0-alpha2 - XML External Entity Injection via SVG Upload
Title source: llmDescription
Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has been patched in versions 2.6.9, 2.5.25, and 3.0.0-alpha3. As a workaround, one may patch the effect file `src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php` manually.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/sulu/sulu/security/advisories/GHSA-f6rx-hf55-4255
Patch x_refsource_misc
https://github.com/sulu/sulu/commit/02f52fca04eb9495b9b4a0c5cc64cf23bc27f544
Various Sources x_refsource_misc
https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php
Scores
CVSS v4
6.1
EPSS
0.0038
EPSS Percentile
29.1%
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-611
Status
published
Products (4)
sulu/sulu
2.5.21 - 2.5.25Packagist
sulu/sulu
>= 2.5.21, < 2.5.25
sulu/sulu
>= 2.6.5, < 2.6.9
sulu/sulu
>= 3.0.0-alpha1, < 3.0.0-alpha3
Published
May 14, 2025
Tracked Since
Feb 18, 2026