<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>EasyCorp - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/easycorp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 20:25:59 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/easycorp/feed.xml" rel="self" type="application/rss+xml"/><item><title>EasyAdmin Bundle Stored Cross-Site Scripting via File Uploads (CVE-2026-54087)</title><link>https://feed.craftedsignal.io/briefs/2026-07-easyadmin-xss/</link><pubDate>Tue, 14 Jul 2026 20:25:59 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-easyadmin-xss/</guid><description>A high-severity stored cross-site scripting (XSS) vulnerability, tracked as CVE-2026-54087, exists in EasyAdmin Bundle versions &gt;= 5.0.0 and &lt; 5.0.13, allowing attackers to upload malicious HTML or SVG files containing JavaScript which executes in an administrator's session when viewed in the backend, leading to session/CSRF token theft and privilege escalation.</description><content:encoded><![CDATA[<p>A significant stored cross-site scripting (XSS) vulnerability, identified as CVE-2026-54087, impacts EasyAdmin Bundle versions 5.0.0 through 5.0.12. This flaw arises when the <code>FileField</code> and <code>ImageField</code> components are misconfigured to store uploaded files within the public web root. By default, <code>FileField</code> lacks MIME or extension restrictions, and <code>ImageField</code> accepts SVG files, both of which can embed browser-executable JavaScript. An attacker with access to a form using these fields can upload a malicious <code>.html</code> or <code>.svg</code> file containing JavaScript. When a legitimate administrator subsequently views this uploaded file within the EasyAdmin backend, the embedded script executes in the context of their authenticated session. This can lead to the theft of session tokens or CSRF tokens, ultimately resulting in privilege escalation. This vulnerability does not permit remote code execution (RCE) because EasyAdmin's filename handling prevents the upload of <code>.php</code> or <code>.phtml</code> files.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A developer configures an EasyAdmin application with <code>FileField</code> or <code>ImageField</code> components to store uploaded files within the public web root directory.</li>
<li>An attacker gains access to an EasyAdmin form that utilizes these configured <code>FileField</code> or <code>ImageField</code> components, typically as a low-privileged user.</li>
<li>The attacker crafts a malicious file, either an <code>.html</code> file for <code>FileField</code> or an <code>.svg</code> file for <code>ImageField</code>, embedding JavaScript code designed for session theft or privilege escalation.</li>
<li>The attacker uploads the malicious file through the vulnerable EasyAdmin form.</li>
<li>EasyAdmin stores the malicious file in the publicly accessible web directory as per the misconfiguration.</li>
<li>A high-privileged administrator later accesses the EasyAdmin backend and attempts to view the uploaded file through the interface.</li>
<li>The administrator's web browser fetches the malicious file, which is served inline from the application's domain, and executes the embedded JavaScript due to the browser's same-origin policy.</li>
<li>The executed JavaScript steals the administrator's session cookies or CSRF tokens, or performs other actions, enabling unauthorized privilege escalation or further malicious activities within the administrator's authenticated context.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-54087 can lead to severe consequences for the compromised EasyAdmin instance. Attackers can leverage the executed JavaScript to steal authenticated user sessions, including those of high-privileged administrators. This stolen session information can then be used to perform unauthorized actions, including data manipulation, configuration changes, or further compromise of the system by exploiting the administrator's privileges. Additionally, CSRF tokens can be exfiltrated, enabling cross-site request forgery attacks against the system. The primary impact is the unauthorized access and privilege escalation within the web application, although remote code execution is not directly achievable through this specific vulnerability. The impact relies on developers configuring file uploads to a publicly accessible web directory and a privilege gap between the uploading user and the viewing administrator.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-54087</strong>: Immediately upgrade EasyAdmin Bundle to version 5.0.13 or newer to remediate CVE-2026-54087.</li>
<li><strong>Review File Upload Configurations</strong>: Review all <code>FileField</code> and <code>ImageField</code> configurations within your EasyAdmin applications to ensure uploaded files are NOT stored in public web-accessible directories or are served with <code>Content-Disposition: attachment</code> headers to prevent inline execution.</li>
<li><strong>Implement Strict Content Security Policy (CSP)</strong>: Deploy or strengthen Content Security Policies (CSPs) on your web servers to restrict script execution sources, thereby mitigating the impact of potential XSS vulnerabilities even if malicious files are uploaded and viewed.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>xss</category><category>web-application</category><category>vulnerability</category><category>easyadmin</category></item></channel></rss>