CVE-2026-38948

Vulnerability

Overview

A stored Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS version 1.5.2 and earlier within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing embedded JavaScript to persist on the server. This issue is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-434 (Unrestricted Upload of File with Dangerous Type) [1].

Exploitation

Details

An authenticated low-privileged user can upload a crafted SVG file containing malicious JavaScript. When an administrator subsequently views or previews the uploaded SVG file, the embedded script executes in the administrator's authenticated browser session. The script fetches the administrator's profile page to extract the CSRF token, then uses that token to submit a form that changes the administrator's username, email, and password [1].

Impact

Successful exploitation results in full administrator account takeover, granting the attacker complete control over the FUEL CMS instance. The official CVSS v3 score is 5.4 (Medium), though the researcher's analysis assigns a score of 7.1 (High) due to the high impact on confidentiality, integrity, and availability [1].

Mitigation

Status

As of the publication date, no official patch has been released. Mitigation requires sanitizing SVG uploads by stripping script elements or restricting allowed file types to non-executable formats. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.