CVE-2025-61183: 
PHP vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-61183) was discovered in VaahCMS version 2.3.1. The vulnerability exists in the storeAvatar() method of UserBase.php, which allows a remote attacker to execute arbitrary code through unsafe SVG file handling during avatar uploads. The vulnerability was disclosed on October 8, 2025, and primarily affects the file upload functionality in the application's backend (GitHub Issue, NVD).

The vulnerability stems from improper file handling in the storeAvatar() method, where files are stored before content or MIME-type validation occurs. The vulnerable endpoint is POST /backend/vaah/manage/media/upload. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

Successful exploitation allows attackers to control the content and filename of files written to a public storage path (/storage/media/YYYY/MM/.svg). When these SVG files are rendered by a user's browser through various HTML elements, the embedded malicious JavaScript executes, leading to persistent Cross-Site Scripting attacks (GitHub POC).

Temporary mitigation measures include disabling SVG file uploads entirely, implementing server-side file type validation using MIME type checking before storing files, using a dedicated SVG sanitizer library (such as enshrined/svg-sanitize for PHP), storing uploaded files outside the web root, serving them through a secure proxy, and implementing automatic cleanup of files that fail validation. The vendor has acknowledged the vulnerability and a fix is pending (GitHub POC).