FormCms avatar upload feature has a stored cross-site scripting (XSS) vulnerability

FormCms v0.5.5 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload feature. Authenticated users can upload .html files containing malicious JavaScript, which are accessible via a public URL. When a privileged user accesses the file, the script executes in their browser context.

References

Published by the National Vulnerability Database Aug 28, 2025

Published to the GitHub Advisory Database Aug 28, 2025

Reviewed Aug 28, 2025

Last updated Aug 28, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

CVSS overall score

CVSS v4 base metrics

Exploitability Metrics

Vulnerable System Impact Metrics

Subsequent System Impact Metrics

CVSS v4 base metrics

Exploitability Metrics

Vulnerable System Impact Metrics

Subsequent System Impact Metrics

EPSS score

Exploit Prediction Scoring System (EPSS)

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Unrestricted Upload of File with Dangerous Type

CVE ID

GHSA ID

Source code

Uh oh!