CVE-2025-47778: 
PHP vulnerability analysis and mitigation

Sulu, an open-source PHP content management system based on the Symfony framework, contains a security vulnerability (CVE-2025-47778) that affects versions 2.5.21, 2.6.5, and 3.0.0-alpha1. The vulnerability allows admin users to upload SVG files that can load external data via XML DOM library, potentially enabling insecure XML External Entity References (GitHub Advisory).

The vulnerability is classified as CWE-611 (Improper Restriction of XML External Entity Reference). The issue stems from the SvgFileInspector component which processes uploaded SVG files. The vulnerability has been assigned a CVSS v4.0 score of 6.1 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U (NVD).

When exploited, this vulnerability could allow an authenticated admin user to perform XML External Entity (XXE) attacks through SVG file uploads. This could potentially lead to unauthorized access to external data and system resources (GitHub Advisory).

The vulnerability has been patched in versions 2.6.9, 2.5.25, and 3.0.0-alpha3. For users unable to upgrade immediately, a manual workaround is available by patching the affected file src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php to replace loadXML($svg, \LIBXML_NOENT | \LIBXML_DTDLOAD) with loadXML($data, LIBXML_NONET) (GitHub Advisory).