Moderate severityNVD Advisory· Published Feb 25, 2026· Updated Feb 26, 2026

TypiCMS Core has Stored Cross-Site Scripting (XSS) via SVG File Upload

CVE-2026-27621

Description

TypiCMS is a multilingual content management system based on the Laravel framework. A Stored Cross-Site Scripting (XSS) vulnerability exists in the file upload module of TypiCMS prior to version 16.1.7. The application allows users with file upload permissions to upload SVG files. While there is a MIME type validation, the content of the SVG file is not sanitized. An attacker can upload a specially crafted SVG file containing malicious JavaScript code. When another user (such as an administrator) views or accesses this file through the application, the script executes in their browser, leading to a compromise of that user's session. The issue is exacerbated by a bug in the SVG parsing logic, which can cause a 500 error if the uploaded SVG does not contain a viewBox attribute. However, this does not mitigate the XSS vulnerability, as an attacker can easily include a valid viewBox attribute in their malicious payload. Version 16.1.7 of TypiCMS Core fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TypiCMS prior to 16.1.7 contains a stored XSS vulnerability via unsanitized SVG file uploads, allowing attackers to execute arbitrary JavaScript in administrators' browsers.

Vulnerability

Overview

TypiCMS, a multilingual Laravel-based CMS, is affected by a stored cross-site scripting (XSS) vulnerability in its file upload module. The root cause is twofold: the FileFormRequest class explicitly whitelists svg as an allowed MIME type, and the FileUploader service saves uploaded SVG files without sanitizing their content for malicious elements such as `` tags or event handlers [1][2]. This allows an attacker with file upload permissions to upload a crafted SVG containing arbitrary JavaScript.

Exploitation

Prerequisites

To exploit the vulnerability, an attacker must have a user account with file upload permissions. The uploaded SVG is stored in a publicly accessible directory when the default filesystem disk is set to public, making it accessible via a direct URL [2]. When any user—including an administrator—views the malicious SVG file through the application, the embedded JavaScript executes in their browser. A secondary bug in the SVG parsing logic causes a 500 error if the SVG lacks a viewBox attribute, but this does not prevent exploitation because an attacker can trivially include a valid viewBox attribute in the payload [1][2].

Impact

Successful exploitation leads to session compromise of the victim user. An attacker can steal session cookies, perform actions on behalf of the victim, or deface the application. Because the XSS is stored, the payload persists and can affect multiple users over time [1][2].

Mitigation

The vulnerability is fixed in TypiCMS Core version 16.1.7 [1]. The fix involves sanitizing SVG file content before storage, as demonstrated in commit d480a0b [4]. Users are strongly advised to upgrade to the latest version. No workarounds are documented, but restricting file upload permissions to trusted users can reduce risk.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
typicms/corePackagist	< 16.1.7	16.1.7

Affected products

TypiCMS/TypiCMSllm-create
Range: <16.1.7
TypiCMS/Corev5
Range: < 16.1.7

Patches

d480a0be1e8e

SVG Sanitizer

https://github.com/TypiCMS/CoreSamuel De BackerFeb 21, 2026via ghsa

commit

1 file changed · +16 −0

src/Services/FileUploader.php+16 −0 modified

@@ -4,6 +4,7 @@
 
 namespace TypiCMS\Modules\Core\Services;
 
+use enshrined\svgSanitize\Sanitizer;
 use Illuminate\Http\UploadedFile;
 use Illuminate\Support\Arr;
 use Illuminate\Support\Facades\Storage;
@@ -27,6 +28,10 @@ public function handle(
         $filenameWithoutExtension = $this->removeCroppaPattern($filenameWithoutExtension);
         $filenameWithoutExtension = Str::slug($filenameWithoutExtension) ?: Str::slug(Str::random());
 
+        if ($extension === 'svg') {
+            $this->sanitizeSvg($file);
+        }
+
         [$width, $height] = $this->getImageDimensions($file, $extension);
         $filename = $this->generateUniqueFilename($filenameWithoutExtension, $extension, $path, $disk);
         $path = $file->storeAs($path, $filename, $disk);
@@ -105,6 +110,17 @@ private function generateUniqueFilename(
         return $filename;
     }
 
+    private function sanitizeSvg(UploadedFile $file): void
+    {
+        $sanitizer = new Sanitizer();
+        $sanitizedContent = $sanitizer->sanitize($file->getContent());
+
+        file_put_contents(
+            $file->getPathname(),
+            $sanitizedContent ?: ''
+        );
+    }
+
     private function correctImageOrientation(UploadedFile $file): void
     {
         if (!function_exists('exif_read_data')) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-xfvg-8v67-j7wpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-27621ghsaADVISORY
github.com/TypiCMS/Core/commit/d480a0be1e8e7c0600bb9a325bb11920ee66497dghsax_refsource_MISCWEB
github.com/TypiCMS/Core/security/advisories/GHSA-xfvg-8v67-j7wpghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000