Primary

Context

CouchCMS Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in CouchCMS version 2.2.1. This issue allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the application's file upload feature. The vulnerable endpoint is browse.php, where the uploaded SVG files are processed. When these files are accessed or previewed, the embedded scripts are executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where the injected script is executed whenever the affected SVG file is accessed or previewed.

Reproduction

To reproduce this vulnerability, an authenticated user can upload an SVG file containing a script tag through the file upload functionality. The file should be uploaded to the browse.php endpoint. Once uploaded, accessing or previewing the SVG file will trigger the execution of the embedded JavaScript, demonstrating the cross-site scripting vulnerability.

Added: May 16, 2026, 4:26 PM

Updated: May 16, 2026, 4:26 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

0.0

relevance

8.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

0.0

relevance

8.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

CouchCMS Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

Impact

Reproduction

Affected Products

CouchCMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating