PHPFusion 9.10.30 Stored Cross-Site Scripting via File Manager Upload

Advisories

severity: medium
date: December 17, 2025
Affecting: PHPFusion 9.10.30
CVE: CVE-2023-53928
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References: ExploitDB-51411
Official Product Homepage
Credit: Mirabbas Ağalarov
Description: PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session information or performing client-side attacks.