PT-2026-60099 · Easyadmin · Easyadmin

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-54087

CVSS v3.1

7.6

High

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Name of the Vulnerable Software and Affected Versions EasyAdmin (affected versions not specified)
Description Stored Cross-Site Scripting (XSS) occurs because FileField and ImageField accept browser-executable file types by default. FileField applies no MIME or extension restrictions, while ImageField accepts SVG files. When the upload directory is located within the public web root, files are linked inline without a download attribute or Content-Disposition: attachment header. An attacker can upload an .html or .svg file containing JavaScript; when an authenticated administrator opens the file, the script executes in their session context, potentially leading to session theft, CSRF-token theft, or privilege escalation. This issue requires the developer to store uploads in the public directory and a privilege difference between the uploader and the viewer.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Unrestricted File Upload

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54087
GHSA-8559-GWJ3-Q37R

Affected Products

Easyadmin