Vulnerability DatabaseCVE-2025-47778
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-47778
May 14, 2025
Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has been patched in versions 2.6.9, 2.5.25, and 3.0.0-alpha3. As a workaround, one may patch the effect file "src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php" manually.
Affected Packages
https://github.com/sulu/sulu.git (GITHUB):
Affected version(s) >=2.6.5 <2.6.9
Fix Suggestion:
Update to version 2.6.9
https://github.com/sulu/sulu.git (GITHUB):
Affected version(s) >=2.5.21 <2.5.25
Fix Suggestion:
Update to version 2.5.25
Related Resources (5)
https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php
https://nvd.nist.gov/vuln/detail/CVE-2025-47778
https://github.com/sulu/sulu
https://github.com/sulu/sulu/commit/02f52fca04eb9495b9b4a0c5cc64cf23bc27f544
https://github.com/sulu/sulu/security/advisories/GHSA-f6rx-hf55-4255
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
UNREPORTED
CVSS v3
Base Score:
7.2
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Restriction of XML External Entity Reference
CWE-611
EPSS
Base Score:
0.24