CVE-2025-70842

MEDIUM

FluentCMS 1.2.3 - Stored Cross-Site Scripting via SVG File Upload

Title source: llm

Description

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the File Management module of FluentCMS 1.2.3. The flaw allows an authenticated administrator to upload crafted SVG files containing malicious JavaScript code. Once uploaded, the script executes in the browser of any user who accesses the direct URL of the image, including unauthenticated visitors.

References (2)

Core 2

Core References

https://github.com/fluentcms/FluentCMS/issues/2404

https://github.com/fluentcms/FluentCMS/pull/2407

Scores

CVSS v3 5.4

EPSS 0.0014

EPSS Percentile 3.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Published May 12, 2026

Tracked Since May 12, 2026