InstantCMS has a Cross Site Scripting Vulnerability
Description
InstantCMS is a free and open source content management system. In photo upload function in the photo album page there is no input validation taking place. Due to this attackers are able to inject the XSS (Cross Site Scripting) payload and execute. This vulnerability is fixed in 2.16.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
InstantCMS v2.16.2 and earlier are vulnerable to stored XSS via crafted EXIF data in photo uploads, allowing arbitrary JavaScript execution in the photo album page.
Vulnerability
In InstantCMS versions prior to 2.16.3, the photo upload function in the photo album page lacks input validation on EXIF metadata fields [1]. Specifically, the Camera Model Name metadata is not sanitized before being stored and later rendered on the /photos/camera-{payload} page [2]. This allows an attacker to inject arbitrary HTML and JavaScript code into the application.
Exploitation
An attacker must have a valid user account (e.g., demo) and be able to upload an image file [2]. The attacker crafts an image with a malicious payload embedded in the Camera Model Name EXIF field, for example ` [2]. After uploading the image, the attacker navigates to the corresponding camera URL (e.g., /photos/camera-Amal_Test%3Cimg+src=%22asd%22+onerror=%22alert(1)%22%3E`) [2]. The payload is executed immediately in the browser of any user visiting that page because the server does not sanitize the metadata [2].
Impact
Successful exploitation results in stored cross-site scripting (XSS) [2]. An attacker can execute arbitrary JavaScript in the context of the victim's session, which can be used to steal cookies, redirect users to malicious sites, perform actions on the victim's behalf, log keystrokes, or deface the website [2]. No special network position is required beyond access to the web application, and the attack does not require user interaction beyond the victim visiting the crafted URL [2].
Mitigation
The vulnerability is fixed in InstantCMS version 2.16.3 [1]. The fix is implemented in commit e02de2f, which refactors the EXIF handling to sanitize input [1]. Users should upgrade to version 2.16.3 immediately. No workarounds are documented for earlier versions [2]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2.16.3
- Range: < 2.16.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on EXIF metadata values extracted from uploaded images allows stored XSS."
Attack vector
An attacker logs in as a demo user, navigates to the photo upload page, and uploads a JPEG image containing a malicious XSS payload embedded in the Camera Model Name EXIF metadata field (e.g., `
Affected code
The vulnerability resides in the `img_get_params()` function within the photo upload flow. The function reads EXIF metadata from uploaded JPEG images, including the "Camera Model Name" field (`IFD0.Model`), and returns it without sanitization [ref_id=1]. The advisory identifies the affected component as the photo upload function in the photo album page [ref_id=2].
What the fix does
The patch adds `strip_tags()` to sanitize all string EXIF values before they are returned by `img_get_params()` [ref_id=1]. Specifically, a new loop iterates over `$exif_data` and applies `strip_tags($value)` to each string value, removing any HTML or JavaScript payloads. This closes the XSS vector because the Camera Model Name (and other EXIF fields) are no longer rendered as raw HTML when displayed on the photo album page.
Preconditions
- authAttacker must have a valid user account (e.g., demo user) to access the photo upload page
- inputAttacker must upload a JPEG image with a crafted EXIF Camera Model Name field containing an XSS payload
- configThe application must have the PHP EXIF extension enabled (exif_read_data must be available)
Reproduction
1. Log in to the InstantCMS instance as a demo user. 2. Navigate to `/photos/upload`. 3. Upload a JPEG image whose EXIF "Camera Model Name" metadata field contains a payload such as `
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/instantsoft/icms2/commit/e02de2fa1850bb40c9b2050b9256c838a0ea7aa3mitrex_refsource_MISC
- github.com/instantsoft/icms2/security/advisories/GHSA-f6cf-jg84-fw29mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.