malicious SVG attachment causing stored XSS vulnerability in MoinMoin
Description
MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MoinMoin before 1.9.11 allows attackers with write permissions to upload SVG files containing malicious JavaScript, leading to stored XSS.
Vulnerability
This is a stored cross-site scripting (XSS) vulnerability. An attacker with write permissions can upload an SVG file containing malicious JavaScript to the wiki [1][2]. The SVG content is not properly sanitized, allowing arbitrary script execution when the file is loaded in a browser.
Exploitation
To exploit this, the attacker must have write access to the wiki. Once an SVG file with embedded JavaScript is uploaded, any user viewing that SVG file will have the script executed in their browser [1][2]. No additional user interaction is required beyond viewing the page containing the SVG media.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session [1]. This can lead to session hijacking, defacement, or exfiltration of sensitive information visible to the authenticated user. The attack requires no authentication beyond existing wiki write permissions.
Mitigation
MoinMoin Wiki version 1.9.11 includes the necessary fixes for this vulnerability [1][3]. Users are strongly advised to upgrade immediately. No workarounds other than disabling SVG uploads or restricting write permissions are available [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moinPyPI | < 1.9.11 | 1.9.11 |
Affected products
3- ghsa-coords2 versions
< 1.9.11+ 1 more
- (no CPE)range: < 1.9.11
- (no CPE)range: < 1.9.11-bp152.4.3.1
- moinwiki/moin-1.9v5Range: < 1.9.11
Patches
131de9139d0aaMerge pull request from GHSA-4q96-6xhq-ff43
2 files changed · +2 −1
MoinMoin/config/__init__.py+1 −1 modified@@ -12,7 +12,7 @@ from MoinMoin.util.chartypes import * # List of image types browser do support regulary -browser_supported_images = ('gif', 'jpg', 'jpeg', 'png', 'bmp', 'ico', ) +browser_supported_images = ('gif', 'jpg', 'jpeg', 'png', 'bmp', 'ico', 'svg+xml') # Parser to use mimetype text parser_text_mimetype = ('plain', 'csv', 'rst', 'docbook', 'latex', 'tex', 'html', 'css',
MoinMoin/config/multiconfig.py+1 −0 modified@@ -1143,6 +1143,7 @@ def __init__(self, exprstr): ('mimetypes_xss_protect', [ 'text/html', + 'image/svg+xml', 'application/x-shockwave-flash', 'application/xhtml+xml', ],
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-4q96-6xhq-ff43ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15275ghsaADVISORY
- advisory.checkmarx.net/advisory/CX-2020-4285ghsax_refsource_MISCWEB
- github.com/moinwiki/moin-1.9/commit/31de9139d0aabc171e94032168399b4a0b2a88a2ghsax_refsource_MISCWEB
- github.com/moinwiki/moin-1.9/releases/tag/1.9.11ghsax_refsource_MISCWEB
- github.com/moinwiki/moin-1.9/security/advisories/GHSA-4q96-6xhq-ff43ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/moin/PYSEC-2020-241.yamlghsaWEB
- pypi.org/project/moinghsaWEB
News mentions
0No linked articles in our index yet.