CVE-2025-47778: Sulu vulnerable to XXE in SVG File upload Inspector
(updated )
A admin user can upload SVG which may load external data via XML DOM library, specially this can be used for eventually reference none secure XML External Entity References.
References
- github.com/advisories/GHSA-f6rx-hf55-4255
- github.com/sulu/sulu
- github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php
- github.com/sulu/sulu/commit/02f52fca04eb9495b9b4a0c5cc64cf23bc27f544
- github.com/sulu/sulu/security/advisories/GHSA-f6rx-hf55-4255
- nvd.nist.gov/vuln/detail/CVE-2025-47778
Code Behaviors & Features
Detect and mitigate CVE-2025-47778 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →