XXE in Sulu

CVE-2025-47778

Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.004 (29.4th percentile) — read the EPSS interpretation.

Affected products

  • Sulu — versions >= 2.5.21, < 2.5.25, >= 2.6.5, < 2.6.9, >= 3.0.0-alpha1, < 3.0.0-alpha3

Weakness classification (CWE)

References