Primary

Context

Perch CMS Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

A stored cross-site scripting vulnerability has been identified in Perch CMS version 3.2. This issue allows authenticated users to upload malicious SVG files containing embedded JavaScript. When these files are viewed, the JavaScript executes, potentially stealing user session information or facilitating client-side attacks.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files execute JavaScript when accessed, leading to session theft or client-side attacks.

Reproduction

To reproduce this vulnerability, log into an account on Perch CMS 3.2 and navigate to the settings page. Upload an SVG file crafted with a script tag, such as one that alerts the document location. After uploading, access the SVG file through the resources directory to trigger the JavaScript execution.

Added: Dec 15, 2025, 9:41 PM

Updated: Dec 15, 2025, 10:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.4

exploitability

6.3

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.4

exploitability

6.3

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Perch CMS Stored Cross-Site Scripting Vulnerability via SVG File Upload

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating