XML External Entity (XXE) Injection

🗓️ 16 May 2025 10:10:29Reported by Veracode Vulnerability DatabaseType

sulu/sulu is vulnerable to XML External Entity Injection due to improper handling of SVG file uploads.

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2025-47778	14 May 202518:31	–	circl
CNNVD	Sulu 代码问题漏洞	14 May 202500:00	–	cnnvd
CVE	CVE-2025-47778	14 May 202515:29	–	cve
Cvelist	CVE-2025-47778 Sulu vulnerable to XXE in SVG File upload Inspector	14 May 202515:29	–	cvelist
EUVD	EUVD-2025-14948	3 Oct 202520:07	–	euvd
Github Security Blog	Sulu vulnerable to XXE in SVG File upload Inspector	15 May 202516:08	–	github
NVD	CVE-2025-47778	14 May 202516:15	–	nvd
OSV	CVE-2025-47778 Sulu vulnerable to XXE in SVG File upload Inspector	14 May 202515:29	–	osv
OSV	GHSA-F6RX-HF55-4255 Sulu vulnerable to XXE in SVG File upload Inspector	15 May 202516:08	–	osv
Positive Technologies	PT-2025-21177 · Sulu · Sulu	14 May 202500:00	–	ptsecurity

Vulners

Node

sulu sulu/suluRange2.5.21–2.5.24php

sulu sulu/suluRange2.6.5–2.6.8php

sulu sulu/suluRange3.0.0-alpha1–3.0.0-alpha2php

sulu sulu/suluMatch2.5.21php

sulu sulu/suluMatch2.5.22php

sulu sulu/suluMatch2.5.23php

sulu sulu/suluMatch2.6.5php

sulu sulu/suluMatch2.6.6php

sulu sulu/suluMatch2.6.7php

sulu sulu/suluMatch3.0.0-alpha1php

Source	Link
github	www.github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php
github	www.github.com/sulu/sulu/commit/02f52fca04eb9495b9b4a0c5cc64cf23bc27f544
github	www.github.com/sulu/sulu/security/advisories/GHSA-f6rx-hf55-4255
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-47778
github	www.github.com/sulu/sulu

13 Dec 2025 06:13Current

7.1High risk

Vulners AI Score7.1

CVSS 48.6

EPSS0.00243

SSVC