Home
Description
Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code.
References
github.com/...ve-research/blob/main/CVE-2026-38948/README.md
github.com/daylightstudio/FUEL-CMS
www.youtube.com/watch?v=lLCF0xbjecQ
github.com/...ve-research/blob/main/CVE-2026-38948/README.md