Cross-site Scripting (XSS) - Stored in instantsoft/icms2
Description
Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1.-git.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in icms2 prior to 2.16.1-git allows admin panel attackers to inject arbitrary JavaScript via file upload.
Vulnerability
Stored Cross-Site Scripting (XSS) vulnerability exists in instantsoft/icms2 prior to version 2.16.1-git. The issue is located in the admin panel's file upload functionality, where user-supplied input is not properly sanitized, allowing attackers with administrator privileges to store malicious JavaScript payloads [1].
Exploitation
An attacker with access to the admin panel can upload a file containing a crafted XSS payload. The payload is stored on the server and executed when other administrators view the uploaded content, such as through the file manager or media browser. The vulnerability is present in the uploadForm and uploadFromLink functions, which were modified in the fix [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated administrator's browser. This can lead to session hijacking, defacement, or further compromise of the CMS by performing actions on behalf of the victim admin.
Mitigation
The vulnerability is fixed in icms2 version 2.16.1-git, which includes proper input sanitization for uploaded files. Users should update to the latest version. The commit [1] provides the patch. No workarounds are available if upgrading is not possible.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2.16.1.-git
- instantsoft/instantsoft/icms2v5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.