CVE-2025-62418: bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)

October 16, 2025

In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser.

References

github.com/advisories/GHSA-fg89-g389-p346
github.com/bagisto/bagisto
github.com/bagisto/bagisto/commit/7b6b1dd639a14e7053bb82ef2f971c1f533fdfab
github.com/bagisto/bagisto/security/advisories/GHSA-fg89-g389-p346
nvd.nist.gov/vuln/detail/CVE-2025-62418

Code Behaviors & Features

Detect and mitigate CVE-2025-62418 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →