XXE in Sulu
CVE-2025-47778
Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for…
Vulnerability class: XXE (XML External Entity)
EPSS: 0.004 (29.4th percentile) — read the EPSS interpretation.
Affected products
- Sulu — versions >= 2.5.21, < 2.5.25, >= 2.6.5, < 2.6.9, >= 3.0.0-alpha1, < 3.0.0-alpha3
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)