Description

Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code.

INFO

Published Date :

2026-04-28T00:00:00.000Z

Last Modified :

2026-04-28T17:59:04.934Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2026-38948 vulnerability.

Vendors Products
Daylightstudio
  • Fuel Cms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-38948.

URL Resource
https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38948/README.md cve-icon cve-icon cve-icon
https://github.com/daylightstudio/FUEL-CMS cve-icon cve-icon
https://www.youtube.com/watch?v=lLCF0xbjecQ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System