6.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62418

GHSA ID

GHSA-fg89-g389-p346

EPSS Score

CWE

CWE-79

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62418

CVE-2025-62418: bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)

Summary

In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser.

Details

The underlying problem is that SVG is XML/markup, so when it is uploaded and then directly rendered or embedded, script or event handlers within are allowed to run unless sanitized. In Bagisto, the integration of TinyMCE’s image upload (or media manager) may accept SVG files without sanitizing or rejecting unsafe content. When the SVG is later included (inline or via object/embed) in content displayed in admin or UI, the browser may execute the script portion of the SVG. The application might not validate the file content (i.e. inspect the SVG XML) or strip <script>, onload, onclick, foreignObject, xlink:href injection, objects/embed tags, etc.

PoC

Navigate to any forms with TinyMCE editor. Attempt to upload a SVG file with embedded JavaScript. <img width="1580" height="795" alt="image" src="https://github.com/user-attachments/assets/17df21a4-bfcd-4c51-a963-68f68241fd2e" /> JavaScript was triggered. <img width="1402" height="409" alt="image" src="https://github.com/user-attachments/assets/d0e326c3-6f23-449d-8f90-1e1032818d80" />

Impact

Malicious script is stored in SVG file and executed when the content is viewed. An attacker (with upload privilege) can target other admin users or editors who view the content, enabling session hijacking, unauthorized actions, or privilege escalation.

(GitHub Advisory)

6.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62418

GHSA ID

GHSA-fg89-g389-p346

EPSS Score

CWE

CWE-79

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
bagisto/bagisto	composer	<= 2.3.7	2.3.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a stored Cross-Site Scripting (XSS) issue in the TinyMCE editor's image upload functionality. An authenticated attacker could upload a crafted SVG file with embedded JavaScript. The root cause was the lack of server-side validation on the uploaded file type.

The analysis of the fixing commit 7b6b1dd639a14e7053bb82ef2f971c1f533fdfab points to the packages/Webkul/Admin/src/Http/Controllers/TinyMCEController.php file as the location of the vulnerability.

The upload() method in this controller acts as the entry point for the file upload. It calls the storeMedia() method, which contains the core logic for processing and saving the file. Prior to the patch, the storeMedia() function did not properly validate the MIME type or file extension of the uploaded file, directly storing it on the server. This allowed an attacker to upload a malicious SVG file disguised as an image.

The patch introduces strict checks within storeMedia() to validate the file's MIME type against an allowlist and ensure the file extension matches the MIME type. Because the exploit is triggered by uploading a file through the endpoint handled by upload(), which in turn uses storeMedia() to process the file, both functions would appear in a runtime profile during exploitation.

Vulnerable functions

Webkul\Admin\Http\Controllers\TinyMCEController::upload

packages/Webkul/Admin/src/Http/Controllers/TinyMCEController.php

This function is the public endpoint that handles the file upload request from the TinyMCE editor. It calls the `storeMedia` function where the core of the vulnerability lies. As the entry point for the vulnerable operation, it would be present in any runtime profile of the exploit.

Webkul\Admin\Http\Controllers\TinyMCEController::storeMedia

packages/Webkul/Admin/src/Http/Controllers/TinyMCEController.php

This function is responsible for the file storage logic. Before the patch, it lacked proper validation of the uploaded file's MIME type and extension, allowing a malicious SVG file containing JavaScript to be uploaded and stored on the server. The patch adds strict validation to prevent this.

WAF Protection Rules

WAF Rule

### Summ*ry In ***isto v*.*.*, t** TinyM** im*** uplo** *un*tion*lity *llows *n *tt**k*r wit* su**i*i*nt privil***s (*.*. **min) to uplo** * *r**t** SV* *il* *ont*inin* *m****** J*v*S*ript. W**n vi*w**, t** m*li*ious *o** *x**ut*s in t** *ont*xt o* t

Reasoning

T** vuln*r**ility is * stor** *ross-Sit* S*riptin* (XSS) issu* in t** TinyM** **itor's im*** uplo** *un*tion*lity. *n *ut**nti**t** *tt**k*r *oul* uplo** * *r**t** SV* *il* wit* *m****** J*v*S*ript. T** root **us* w*s t** l**k o* s*rv*r-si** v*li**ti

6.9

Basic Information

Concerned about an active attack path?

CVE-2025-62418: bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)

Summary

Details

PoC

Impact

6.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI