VYPR
Medium severityOSV Advisory· Published May 14, 2025· Updated Apr 15, 2026

CVE-2025-47778

CVE-2025-47778

Description

Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has been patched in versions 2.6.9, 2.5.25, and 3.0.0-alpha3. As a workaround, one may patch the effect file src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php manually.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sulu/suluPackagist
>= 2.5.21, < 2.5.252.5.25
sulu/suluPackagist
>= 2.6.5, < 2.6.92.6.9
sulu/suluPackagist
>= 3.0.0-alpha1, < 3.0.0-alpha33.0.0-alpha3

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.