CVE-2025-9416
Description
A security flaw has been discovered in oitcode samarium up to 0.9.6. This vulnerability affects unknown code of the file /cms/webpage/ of the component Pages Image Handler. The manipulation results in cross site scripting. The attack may be performed from a remote location. The exploit has been released to the public and may be exploited.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in oitcode samarium through SVG upload in the Pages Image Handler allows remote attackers to execute arbitrary JavaScript when the malicious SVG is viewed.
The vulnerability is a stored cross-site scripting (XSS) issue in the Samarium - Business Management System version 0.9.6. It resides in the image upload feature for page creation at /cms/webpage/, which accepts SVG files without proper sanitization [1].
An attacker can upload a specially crafted SVG file containing embedded JavaScript. The file is stored in /gallery/ and is accessible without authentication. When a victim views the SVG in a browser, the JavaScript executes in the context of the victim's session [1].
The impact includes arbitrary script execution, which can lead to session hijacking, data theft, or other malicious actions performed under the victim's identity [1].
No official patch has been released for this vulnerability. As a mitigation, administrators should disable SVG uploads or implement strict validation to prevent malicious file uploads. The exploit has been publicly disclosed, increasing the risk of active exploitation.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.