DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-97R8-RF7Q-WMJW: GHSA-97R8-RF7Q-WMJW: Stored Cross-Site Scripting via Sanitize-then-Decode Flaw in Sveltia CMS

#security #cve #cybersecurity #ghsa

GHSA-97R8-RF7Q-WMJW: Stored Cross-Site Scripting via Sanitize-then-Decode Flaw in Sveltia CMS

Vulnerability ID: GHSA-97R8-RF7Q-WMJW
CVSS Score: N/A
Published: 2026-05-18

Sveltia CMS versions prior to 0.160.1 contain a stored cross-site scripting (XSS) vulnerability within the content summary rendering subsystem. The flaw arises from an improper sequence of text transformation operations, specifically a sanitize-then-decode logic error. Attackers with content creation privileges can exploit this vulnerability by submitting entity-encoded HTML payloads, which execute malicious scripts within the browser context of users viewing the administrative interface.

TL;DR

A sanitize-then-decode flaw in Sveltia CMS allows stored XSS. Attackers can inject entity-encoded HTML that bypasses sanitizers and executes when administrators view entry summaries.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network (Authenticated)
  • CVSS Score: N/A (Low)
  • Impact: Stored XSS / Privilege Escalation
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • Sveltia CMS
  • Sveltia CMS: < 0.160.1 (Fixed in: 0.160.1)

Code Analysis

Commit: 43a6ac5

Fix sanitizeEntrySummary execute parseEntities before sanitize for Markdown enabled paths

Exploit Details

  • GitHub Advisory: Vendor advisory detailing PoC payload structures and impact methodology

Mitigation Strategies

  • Upgrade Sveltia CMS to version 0.160.1 or later
  • Implement a strict Content Security Policy (CSP) to block inline script execution

Remediation Steps:

  1. Verify current Sveltia CMS deployment version.
  2. Update the package dependencies to integrate version 0.160.1.
  3. Review existing repository content for anomalous entity-encoded tags in primary fields.
  4. Deploy CSP headers restricting unsafe-inline scripts to mitigate residual execution risks.

References

Read the full report for GHSA-97R8-RF7Q-WMJW on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)