Medium severityOSV Advisory· Published May 14, 2025· Updated Apr 15, 2026
CVE-2025-47778
CVE-2025-47778
Description
Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has been patched in versions 2.6.9, 2.5.25, and 3.0.0-alpha3. As a workaround, one may patch the effect file src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php manually.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sulu/suluPackagist | >= 2.5.21, < 2.5.25 | 2.5.25 |
sulu/suluPackagist | >= 2.6.5, < 2.6.9 | 2.6.9 |
sulu/suluPackagist | >= 3.0.0-alpha1, < 3.0.0-alpha3 | 3.0.0-alpha3 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-f6rx-hf55-4255ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-47778ghsaADVISORY
- github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.phpnvdWEB
- github.com/sulu/sulu/commit/02f52fca04eb9495b9b4a0c5cc64cf23bc27f544nvdWEB
- github.com/sulu/sulu/security/advisories/GHSA-f6rx-hf55-4255nvdWEB
News mentions
0No linked articles in our index yet.