{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-38948", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T17:59:04.934Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-28T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-28T15:55:39.177Z"}, "descriptions": [{"lang": "en", "value": "Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/daylightstudio/FUEL-CMS"}, {"url": "https://www.youtube.com/watch?v=lLCF0xbjecQ"}, {"url": "https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38948/README.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38948/README.md", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T17:58:35.409616Z", "id": "CVE-2026-38948", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:59:04.934Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-38948", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T17:59:04.934Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-28T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-28T15:55:39.177Z"}, "descriptions": [{"lang": "en", "value": "Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/daylightstudio/FUEL-CMS"}, {"url": "https://www.youtube.com/watch?v=lLCF0xbjecQ"}, {"url": "https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38948/README.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-38948", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T17:58:35.409616Z"}}}], "references": [{"url": "https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38948/README.md", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:58:59.912Z"}}]}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code."}], "id": "CVE-2026-38948", "lastModified": "2026-04-28T20:13:21.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-28T16:16:13.557", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38948/README.md"}, {"source": "cve@mitre.org", "url": "https://github.com/daylightstudio/FUEL-CMS"}, {"source": "cve@mitre.org", "url": "https://www.youtube.com/watch?v=lLCF0xbjecQ"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38948/README.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.2]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "fuel_cms", "vendor": "daylightstudio"}], "analysis": {"en": {"generated_at": "2026-04-29T02:17:05.522311+00:00", "value": {"mitigation_remediation": ["Upgrade to a newer release of FUEL CMS that includes proper SVG sanitization", "If an upgrade is not feasible, disable the SVG upload feature or restrict uploads to safe file types", "Implement server\u2011side validation to strip script tags and other dangerous elements from uploaded SVG files before rendering", "Deploy a web application firewall to detect and block XSS payloads in file uploads"], "summary": {"action": "Apply Update", "impact": "Client\u2011side Cross\u2011Site Scripting via uploaded SVG"}, "threat_synthesis": {"affected_systems": "Installations running FUEL CMS version 1.5.2 or earlier are affected. The flaw is present in the asset upload functionality used throughout the admin interface and any pages that display uploaded SVG assets.", "description_and_impact": "The vulnerability lies in FUEL CMS's asset upload feature, where SVG files are not properly sanitized. A low\u2011privileged authenticated user can upload a crafted SVG containing malicious code.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate impact. EPSS is not provided, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only a low\u2011privileged authenticated account that can upload a crafted SVG. The description states that the application fails to sanitize SVG files, but it does not explicitly mention how or whether the malicious script is executed when the file is viewed. Based on typical XSS behavior in web applications, it is inferred that rendering a malicious SVG would execute the embedded script in the viewer\u2019s browser, but this inference is not confirmed by the supplied description."}}}}, "created": "2026-04-28T17:30:10.421981+00:00", "updated": "2026-04-29T02:30:07.564766+00:00", "vendors": ["daylightstudio", "daylightstudio$PRODUCT$fuel_cms"]}