{"uuid": "d8d2c387-0008-4f4f-85c4-5bcf6fc49b5f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-97R8-RF7Q-WMJW", "type": "seen", "source": "https://gist.github.com/alon710/98fbc08fd28e864acb5a0c94e605d960", "content": "# GHSA-97R8-RF7Q-WMJW: GHSA-97R8-RF7Q-WMJW: Stored Cross-Site Scripting via Sanitize-then-Decode Flaw in Sveltia CMS\n\n> **CVSS Score:** N/A\n> **Published:** 2026-05-18\n> **Full Report:** https://cvereports.com/reports/GHSA-97R8-RF7Q-WMJW\n\n## Summary\nSveltia CMS versions prior to 0.160.1 contain a stored cross-site scripting (XSS) vulnerability within the content summary rendering subsystem. The flaw arises from an improper sequence of text transformation operations, specifically a sanitize-then-decode logic error. Attackers with content creation privileges can exploit this vulnerability by submitting entity-encoded HTML payloads, which execute malicious scripts within the browser context of users viewing the administrative interface.\n\n## TL;DR\nA sanitize-then-decode flaw in Sveltia CMS allows stored XSS. Attackers can inject entity-encoded HTML that bypasses sanitizers and executes when administrators view entry summaries.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-79\n- **Attack Vector**: Network (Authenticated)\n- **CVSS Score**: N/A (Low)\n- **Impact**: Stored XSS / Privilege Escalation\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Sveltia CMS\n- **Sveltia CMS**: < 0.160.1 (Fixed in: `0.160.1`)\n\n## Mitigation\n\n- Upgrade Sveltia CMS to version 0.160.1 or later\n- Implement a strict Content Security Policy (CSP) to block inline script execution\n\n**Remediation Steps:**\n1. Verify current Sveltia CMS deployment version.\n2. Update the package dependencies to integrate version 0.160.1.\n3. Review existing repository content for anomalous entity-encoded tags in primary fields.\n4. Deploy CSP headers restricting unsafe-inline scripts to mitigate residual execution risks.\n\n## References\n\n- [GitHub Advisory for Sveltia CMS Stored XSS](https://github.com/advisories/GHSA-97R8-RF7Q-WMJW)\n- [Patch Commit](https://github.com/sveltia/sveltia-cms/commit/43a6ac5d0182a503400d8ce1ac156e08f537b1b2)\n- [Sveltia CMS v0.160.1 Release Notes](https://github.com/sveltia/sveltia-cms/releases/tag/v0.160.1)\n- [Sveltia CMS GitHub Repository](https://github.com/sveltia/sveltia-cms)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-97R8-RF7Q-WMJW) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-18T14:10:50.000000Z"}