CVE-2026-38948

Name of the Vulnerable Software and Affected Versions FUEL CMS versions prior to 1.5.2

Description A Cross-Site Scripting (XSS) issue exists within the asset upload functionality. The application does not properly sanitize uploaded SVG files, which allows a low-privileged authenticated user to upload a specially crafted SVG file containing malicious code.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.