Stored Cross-Site Scripting in FluentCMS by Fluent
CVE-2025-15549

4.8MEDIUM

Key Information:

Vendor: Fluentcms
Status: Fluentcms
Vendor: CVE Published:; 29 January 2026

What is CVE-2025-15549?

FluentCMS 2026 is affected by a stored cross-site scripting vulnerability that enables authenticated administrators to upload SVG files containing embedded JavaScript through the File Management module. This flaw allows attackers to potentially upload malicious SVG files that execute arbitrary JavaScript in the browsers of users who access the URLs of these uploaded files, posing a significant security risk to any organization using this product.

Affected Version(s)

FluentCMS 0 <= 0.0.5

References

https://github.com/fluentcms/FluentCMS/issues/2404

issue-tracking

https://www.vulncheck.com/advisories/fluentcms-stored-xss...

third-party-advisory

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 29, 2026
Vulnerability Reserved
Jan 29, 2026

Credit

Jarosław Wawiórko

CVE-2025-15549 Data

JSON