从这个网页截图中,我们可以获取到以下关于漏洞的关键信息: Overview A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the File Management module of FluentCMS. The vulnerability allows an authenticated administrator to upload SVG files containing malicious JavaScript code. This code is executed in the user's browser whenever the URL of the uploaded image is accessed. Details The application allows authenticated administrators to upload SVG files via the File Management module without proper sanitization. Since SVG files can contain embedded JavaScript, the malicious code executes automatically when the image is rendered in a browser. Because files are stored in a public directory and served without restrictive security headers, the XSS executes for any user accessing the file URL, including unauthenticated visitors. PoC To replicate this vulnerability: 1. Log in to the FluentCMS admin panel. 2. Navigate to File Management. 3. Upload SVG file. 4. Path to file in request. 5. Observe that the JavaScript code executes in the browser. Impact This could lead to unauthorized actions, UI manipulation, or redirecting users to malicious external websites. Note This public disclosure is being made after coordinating with the team.