PT-2026-60099 · Easyadmin · Easyadmin
Published
2026-07-14
·
Updated
2026-07-14
·
CVE-2026-54087
CVSS v3.1
7.6
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
EasyAdmin (affected versions not specified)
Description
Stored Cross-Site Scripting (XSS) occurs because
FileField and ImageField accept browser-executable file types by default. FileField applies no MIME or extension restrictions, while ImageField accepts SVG files. When the upload directory is located within the public web root, files are linked inline without a download attribute or Content-Disposition: attachment header. An attacker can upload an .html or .svg file containing JavaScript; when an authenticated administrator opens the file, the script executes in their session context, potentially leading to session theft, CSRF-token theft, or privilege escalation. This issue requires the developer to store uploads in the public directory and a privilege difference between the uploader and the viewer.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Unrestricted File Upload
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Easyadmin