Primary

Context

CMS Made Simple Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

A stored cross-site scripting vulnerability has been identified in CMS Made Simple version 2.2.15. This issue allows authenticated users with Content Manager access to upload SVG files containing malicious scripts. The injected JavaScript executes when other authenticated users access the uploaded file, potentially leading to cookie theft and session hijacking.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the file.

Reproduction

To reproduce this vulnerability, log into the CMS Made Simple admin panel as a user with Content Manager access. Navigate to the file manager and upload a malicious SVG file containing JavaScript. Once the file is uploaded, access it through the file manager to trigger the execution of the embedded script, which will execute in the context of the user viewing the file.

Added: May 16, 2026, 4:34 PM

Updated: May 16, 2026, 4:34 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.4

exploitability

6.5

remediation

0.0

relevance

8.3

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.4

exploitability

6.5

remediation

0.0

relevance

8.3

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

CMS Made Simple Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

Impact

Reproduction

Affected Products

CMS Made Simple

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating