VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-438g-26cy-e3fj

Essentials
Severities (15)
References (6)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-438g-26cy-e3fj
Aliases	CVE-2026-27621 GHSA-xfvg-8v67-j7wp
Summary	TypiCMS is a multilingual content management system based on the Laravel framework. A Stored Cross-Site Scripting (XSS) vulnerability exists in the file upload module of TypiCMS prior to version 16.1.7. The application allows users with file upload permissions to upload SVG files. While there is a MIME type validation, the content of the SVG file is not sanitized. An attacker can upload a specially crafted SVG file containing malicious JavaScript code. When another user (such as an administrator) views or accesses this file through the application, the script executes in their browser, leading to a compromise of that user's session. The issue is exacerbated by a bug in the SVG parsing logic, which can cause a 500 error if the uploaded SVG does not contain a `viewBox` attribute. However, this does not mitigate the XSS vulnerability, as an attacker can easily include a valid `viewBox` attribute in their malicious payload. Version 16.1.7 of TypiCMS Core fixes the issue.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2026-27621
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2026-27621
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2026-27621
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-xfvg-8v67-j7wp
cvssv4	6.8	https://github.com/TypiCMS/Core
generic_textual	MODERATE	https://github.com/TypiCMS/Core
cvssv4	6.8	https://github.com/TypiCMS/Core/commit/d480a0be1e8e7c0600bb9a325bb11920ee66497d
generic_textual	MODERATE	https://github.com/TypiCMS/Core/commit/d480a0be1e8e7c0600bb9a325bb11920ee66497d
ssvc	Track	https://github.com/TypiCMS/Core/commit/d480a0be1e8e7c0600bb9a325bb11920ee66497d
cvssv3.1_qr	MODERATE	https://github.com/TypiCMS/Core/security/advisories/GHSA-xfvg-8v67-j7wp
cvssv4	6.8	https://github.com/TypiCMS/Core/security/advisories/GHSA-xfvg-8v67-j7wp
generic_textual	MODERATE	https://github.com/TypiCMS/Core/security/advisories/GHSA-xfvg-8v67-j7wp
ssvc	Track	https://github.com/TypiCMS/Core/security/advisories/GHSA-xfvg-8v67-j7wp
cvssv4	6.8	https://nvd.nist.gov/vuln/detail/CVE-2026-27621
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-27621

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-27621
		https://github.com/TypiCMS/Core
CVE-2026-27621		https://nvd.nist.gov/vuln/detail/CVE-2026-27621
d480a0be1e8e7c0600bb9a325bb11920ee66497d		https://github.com/TypiCMS/Core/commit/d480a0be1e8e7c0600bb9a325bb11920ee66497d
GHSA-xfvg-8v67-j7wp		https://github.com/advisories/GHSA-xfvg-8v67-j7wp
GHSA-xfvg-8v67-j7wp		https://github.com/TypiCMS/Core/security/advisories/GHSA-xfvg-8v67-j7wp

No exploits are available.

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/TypiCMS/Core

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/TypiCMS/Core/commit/d480a0be1e8e7c0600bb9a325bb11920ee66497d

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:59:03Z/ Found at https://github.com/TypiCMS/Core/commit/d480a0be1e8e7c0600bb9a325bb11920ee66497d

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/TypiCMS/Core/security/advisories/GHSA-xfvg-8v67-j7wp

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:59:03Z/ Found at https://github.com/TypiCMS/Core/security/advisories/GHSA-xfvg-8v67-j7wp

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-27621

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.11907
EPSS Score	0.00039
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:50:53.046343+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/27xxx/CVE-2026-27621.json	38.6.0