CVE-2025-51489: 
PHP vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.5, allowing remote attackers to upload a malicious SVG file when creating/updating an Article and correctly execute arbitrary JavaScript when the file link is opened. The vulnerability was discovered on August 19, 2025, and was assigned CVE-2025-51489 (NVD).

The vulnerability has a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The attack requires low privileges and user interaction, with network-based attack vector (NVD, AttackerKB).

The vulnerability allows attackers to execute arbitrary JavaScript code in the victim's browser when a maliciously crafted SVG file is opened. This can lead to potential theft of sensitive information, session hijacking, or other client-side attacks (MoonShine_PoCs).

Users should upgrade to MoonShine version 3.12.5 or later to address this vulnerability. The fix has been implemented in the official repository (MoonShine).