CVE-2025-61457: 
PHP vulnerability analysis and mitigation

code16 Sharp v9.6.6 is vulnerable to Cross Site Scripting (XSS) in src/Form/Fields/SharpFormUploadField.php. The vulnerability was discovered and disclosed on October 21, 2025. The issue affects the file upload functionality in the Sharp framework (NVD).

The vulnerability is a Cross-Site Scripting (XSS) issue that occurs in the file upload functionality, specifically in the SharpFormUploadField.php component. The CVSS v3.1 base score is 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability is network accessible, requires low attack complexity, needs no privileges, requires user interaction, has changed scope, and can impact both confidentiality and integrity at a low level, with no impact on availability (NVD, AttackerKB).

The vulnerability allows attackers to execute arbitrary scripts in victims' browsers through malicious file uploads. This can lead to theft of sensitive information, session hijacking, or other client-side attacks. The impact is considered moderate due to the requirement for user interaction and the limited scope of the potential damage (AttackerKB).

The vulnerability has been patched in Sharp v9.7.0. The fix includes implementing SVG image sanitization by default before saving to prevent XSS, with an option to opt-out using setImageSanitizeSvg(false). Users are strongly recommended to upgrade to version 9.7.0 or later (Sharp Release).

The vulnerability was initially reported by security researcher 'chimmeee' through GitHub's security reporting mechanism. The Sharp development team responded promptly by implementing sanitization features in the next release (GitHub Issue).