CVE-2025-56236: 
C# vulnerability analysis and mitigation

FormCms version 0.5.5 contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-56236. The vulnerability was discovered in the avatar upload feature and was publicly disclosed on August 28, 2025. The vulnerability affects FormCms installations from version 0.5.5 up to (excluding) version 0.5.7 (NVD).

The vulnerability exists in the avatar upload feature where authenticated users can upload .html files containing malicious JavaScript code. These files are stored on the server and are accessible via a public URL. The core issue lies in the unrestricted file upload capability within the ProfileService.UploadAvatar method, which lacks proper file type validation. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Miggo).

When exploited, this vulnerability allows authenticated attackers to perform stored XSS attacks. If a privileged user, such as a Super Admin, accesses the malicious file either directly or through social engineering, the embedded JavaScript executes in the context of their session. This execution allows the attacker to perform unauthorized API actions on behalf of the victim, including full CRUD operations on users, roles, and other sensitive application-specific data (GitHub Issue).

The vulnerability has been patched in FormCms version 0.5.7. The fix includes implementing proper file type validation in the ProfileService.UploadAvatar method by adding an IsImage() check to prevent the upload of non-image files (NVD).