{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/easycorp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EasyAdmin Bundle (versions \u003e= 5.0.0, \u003c 5.0.13)"],"_cs_severities":["high"],"_cs_tags":["xss","web-application","vulnerability","easyadmin"],"_cs_type":"advisory","_cs_vendors":["EasyCorp"],"content_html":"\u003cp\u003eA significant stored cross-site scripting (XSS) vulnerability, identified as CVE-2026-54087, impacts EasyAdmin Bundle versions 5.0.0 through 5.0.12. This flaw arises when the \u003ccode\u003eFileField\u003c/code\u003e and \u003ccode\u003eImageField\u003c/code\u003e components are misconfigured to store uploaded files within the public web root. By default, \u003ccode\u003eFileField\u003c/code\u003e lacks MIME or extension restrictions, and \u003ccode\u003eImageField\u003c/code\u003e accepts SVG files, both of which can embed browser-executable JavaScript. An attacker with access to a form using these fields can upload a malicious \u003ccode\u003e.html\u003c/code\u003e or \u003ccode\u003e.svg\u003c/code\u003e file containing JavaScript. When a legitimate administrator subsequently views this uploaded file within the EasyAdmin backend, the embedded script executes in the context of their authenticated session. This can lead to the theft of session tokens or CSRF tokens, ultimately resulting in privilege escalation. This vulnerability does not permit remote code execution (RCE) because EasyAdmin's filename handling prevents the upload of \u003ccode\u003e.php\u003c/code\u003e or \u003ccode\u003e.phtml\u003c/code\u003e files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer configures an EasyAdmin application with \u003ccode\u003eFileField\u003c/code\u003e or \u003ccode\u003eImageField\u003c/code\u003e components to store uploaded files within the public web root directory.\u003c/li\u003e\n\u003cli\u003eAn attacker gains access to an EasyAdmin form that utilizes these configured \u003ccode\u003eFileField\u003c/code\u003e or \u003ccode\u003eImageField\u003c/code\u003e components, typically as a low-privileged user.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious file, either an \u003ccode\u003e.html\u003c/code\u003e file for \u003ccode\u003eFileField\u003c/code\u003e or an \u003ccode\u003e.svg\u003c/code\u003e file for \u003ccode\u003eImageField\u003c/code\u003e, embedding JavaScript code designed for session theft or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious file through the vulnerable EasyAdmin form.\u003c/li\u003e\n\u003cli\u003eEasyAdmin stores the malicious file in the publicly accessible web directory as per the misconfiguration.\u003c/li\u003e\n\u003cli\u003eA high-privileged administrator later accesses the EasyAdmin backend and attempts to view the uploaded file through the interface.\u003c/li\u003e\n\u003cli\u003eThe administrator's web browser fetches the malicious file, which is served inline from the application's domain, and executes the embedded JavaScript due to the browser's same-origin policy.\u003c/li\u003e\n\u003cli\u003eThe executed JavaScript steals the administrator's session cookies or CSRF tokens, or performs other actions, enabling unauthorized privilege escalation or further malicious activities within the administrator's authenticated context.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54087 can lead to severe consequences for the compromised EasyAdmin instance. Attackers can leverage the executed JavaScript to steal authenticated user sessions, including those of high-privileged administrators. This stolen session information can then be used to perform unauthorized actions, including data manipulation, configuration changes, or further compromise of the system by exploiting the administrator's privileges. Additionally, CSRF tokens can be exfiltrated, enabling cross-site request forgery attacks against the system. The primary impact is the unauthorized access and privilege escalation within the web application, although remote code execution is not directly achievable through this specific vulnerability. The impact relies on developers configuring file uploads to a publicly accessible web directory and a privilege gap between the uploading user and the viewing administrator.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-54087\u003c/strong\u003e: Immediately upgrade EasyAdmin Bundle to version 5.0.13 or newer to remediate CVE-2026-54087.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview File Upload Configurations\u003c/strong\u003e: Review all \u003ccode\u003eFileField\u003c/code\u003e and \u003ccode\u003eImageField\u003c/code\u003e configurations within your EasyAdmin applications to ensure uploaded files are NOT stored in public web-accessible directories or are served with \u003ccode\u003eContent-Disposition: attachment\u003c/code\u003e headers to prevent inline execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Strict Content Security Policy (CSP)\u003c/strong\u003e: Deploy or strengthen Content Security Policies (CSPs) on your web servers to restrict script execution sources, thereby mitigating the impact of potential XSS vulnerabilities even if malicious files are uploaded and viewed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T20:25:59Z","date_published":"2026-07-14T20:25:59Z","id":"https://feed.craftedsignal.io/briefs/2026-07-easyadmin-xss/","summary":"A high-severity stored cross-site scripting (XSS) vulnerability, tracked as CVE-2026-54087, exists in EasyAdmin Bundle versions \u003e= 5.0.0 and \u003c 5.0.13, allowing attackers to upload malicious HTML or SVG files containing JavaScript which executes in an administrator's session when viewed in the backend, leading to session/CSRF token theft and privilege escalation.","title":"EasyAdmin Bundle Stored Cross-Site Scripting via File Uploads (CVE-2026-54087)","url":"https://feed.craftedsignal.io/briefs/2026-07-easyadmin-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - EasyCorp","version":"https://jsonfeed.org/version/1.1"}