Primary

Context

e107 CMS Upload Restriction Bypass Vulnerability Allowing SVG Files with XSS Payloads

Vulnerability

An upload restriction bypass vulnerability has been identified in e107 CMS version 3.2.1. This vulnerability allows authenticated administrators to upload malicious SVG files through the media manager. Exploitation of this vulnerability involves embedding cross-site scripting (XSS) payloads within the SVG files, which can execute arbitrary scripts when the files are viewed.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting, where uploaded SVG files execute scripts when accessed.

Reproduction

To reproduce this vulnerability, an authenticated administrator can upload an SVG file containing an XSS payload through the media manager. The uploaded file can then be accessed, triggering the execution of the embedded script.

Added: Jan 14, 2026, 12:29 AM

Updated: Jan 14, 2026, 12:29 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

6.0

remediation

0.0

relevance

2.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

6.0

remediation

0.0

relevance

2.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

e107 CMS Upload Restriction Bypass Vulnerability Allowing SVG Files with XSS Payloads

Vulnerability

Impact

Reproduction

Affected Products

e107 CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating