ByteOS Network

NVD Vulnerability Details :

CVE-2026-38948

Received

Source-cve@mitre.org

Published At-28 Apr, 2026 | 16:16

Updated At-28 Apr, 2026 | 16:16

Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

References

Hyperlink	Source	Resource
https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38948/README.md	cve@mitre.org	N/A
https://github.com/daylightstudio/FUEL-CMS	cve@mitre.org	N/A
https://www.youtube.com/watch?v=lLCF0xbjecQ	cve@mitre.org	N/A

Hyperlink: https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38948/README.md

Source: cve@mitre.org

Resource: N/A

Hyperlink: https://github.com/daylightstudio/FUEL-CMS

Source: cve@mitre.org

Resource: N/A

Hyperlink: https://www.youtube.com/watch?v=lLCF0xbjecQ

Source: cve@mitre.org

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History