CVE-2026-2276

The vulnerability is a stored Cross-Site Scripting (XSS) issue in the Wix web application, specifically in the endpoint responsible for uploading SVG images at https://manage.wix.com/account/account-settings. The application fails to properly sanitize the content of uploaded SVG files, allowing an attacker to embed malicious JavaScript code within an SVG [1].

To exploit this, an attacker must be authenticated to the Wix platform (PR:L). The attacker uploads a crafted SVG file containing embedded JavaScript. The file is stored on the server, and when another user views the uploaded image, the script executes in the context of their browser. This requires the victim to navigate to the image, but no additional user interaction is needed beyond viewing the content [1].

Successful exploitation allows arbitrary code execution in the victim's browser, which can lead to the disclosure of sensitive information, such as session tokens or personal data, and abuse of the affected user's session. The CVSS v4.0 base score is 5.3 (Medium) with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N [1].

As of the advisory publication, no official patch or solution has been reported by the vendor. Organizations using Wix should monitor for updates and consider restricting SVG uploads or applying input validation as a workaround [1].