CVE-2025-61457: 
PHP vulnerability analysis and mitigation

code16 Sharp v9.6.6 is vulnerable to Cross Site Scripting (XSS) in src/Form/Fields/SharpFormUploadField.php. The vulnerability has been assigned identifier CVE-2025-61457. The issue affects the file upload functionality of the application. The vulnerability was discovered and reported by security researcher chimmee in July 2025 (MITRE).

The vulnerability has been assessed with a CVSS v3.1 Base Score of 6.1 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates the vulnerability is network exploitable, requires low attack complexity, needs no privileges, requires user interaction, has changed scope, and can impact confidentiality and integrity but not availability (CISA-ADP). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

The Cross-Site Scripting vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to theft of sensitive information or session hijacking. The vulnerability affects both confidentiality and integrity of the system with low impact levels.

The vulnerability has been fixed in Sharp v9.7.0. The fix includes sanitizing SVG images by default before saving to prevent XSS attacks. Users can opt-out of this protection using setImageSanitizeSvg(false). Additionally, HTML content is now sanitized by default before saving to the database (Sharp Release).