FluentCMS Stored Cross-Site Scripting Vulnerability via SVG Upload

A stored cross-site scripting vulnerability has been identified in FluentCMS version 2026. This issue allows authenticated administrators to upload SVG files containing embedded JavaScript through the File Management module. The malicious JavaScript executes in the browser of any user who accesses the URL of the uploaded file. The vulnerability arises because the application does not properly sanitize SVG files before allowing them to be uploaded. Since SVG files can include JavaScript, the embedded code runs automatically when the image is viewed in a browser. Additionally, uploaded files are stored in a public directory and served without strict security headers, enabling the XSS attack to affect all users, including those who are not authenticated.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files execute JavaScript in the browsers of users accessing the file URLs.

Reproduction

To reproduce this vulnerability, log into the FluentCMS admin panel and navigate to the File Management module. Once there, upload an SVG file that contains malicious JavaScript. After the file is uploaded, the JavaScript code will execute automatically when the file URL is accessed in a browser.