VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 28, 2025· Updated Aug 28, 2025

CVE-2025-56236

CVE-2025-56236

Description

FormCms v0.5.5 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload feature. Authenticated users can upload .html files containing malicious JavaScript, which are accessible via a public URL. When a privileged user accesses the file, the script executes in their browser context.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FormCms v0.5.5 stored XSS in avatar upload allows authenticated attackers to execute JavaScript in privileged users' browsers.

Vulnerability

CVE-2025-56236 is a stored cross-site scripting (XSS) vulnerability in FormCms v0.5.5 affecting the avatar upload feature. Authenticated attackers can upload .html files containing malicious JavaScript via the /api/profile/avatar endpoint. The uploaded file is stored at a publicly accessible URL (/files/avatar/[random-id].html) and no authentication is required to access it [1][3][4].

Exploitation

To exploit, an attacker first uploads a malicious .html file. The public URL of the uploaded file can be retrieved via a separate endpoint, enabling the attacker to share the exact link. If a higher-privileged user, such as a Super Admin, visits the link (e.g., through social engineering), the embedded JavaScript executes in the context of their session [3][4].

Impact

Successful exploitation allows the attacker to perform unauthorized API actions on behalf of the victim, including full CRUD operations on users, roles, and other sensitive application data [3][4].

Mitigation

The vulnerability is patched in FormCms version 0.5.7. Users should upgrade immediately [3].

References
  1. NVD - CVE-2025-56236
  2. me/CVE-2025-56236/README.md at main · KKC73/me
  3. Avatar upload leads to stored XSS

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
FormCMSNuGet
< 0.5.70.5.7

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.