CVE-2025-15549

MEDIUM EPSS 13.2%

Published Jan 29, 20265mo ago · Modified Jun 17, 20261w ago

4.8 CVSS 4.0

Medium

Published Jan 29, 2026 5mo ago

Last Modified Jun 17, 2026 1w ago

Description

FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. Attackers can upload malicious SVG files that execute JavaScript in the browser of any user accessing the uploaded file URL.

CVSS Details

Base Score

4.8

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction P

Scope X

Threat Intelligence

EPSS Exploit Probability

13.2% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

Vendor	Product	Version	Range
fluentcms	fluentcms	*	≤0.0.5

References 2

github.com https://github.com/fluentcms/FluentCMS/issues/2404

ExploitVendor Advisory
vulncheck.com https://www.vulncheck.com/advisories/fluentcms-stored-xss-via-svg-upload-in-file-management

Third Party AdvisoryVDB Entry

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.