Medium severity5.4NVD Advisory· Published Apr 28, 2026· Updated Apr 28, 2026
CVE-2026-38948
CVE-2026-38948
Description
Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=1.5.2
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.