Vulnerability Description
Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has been patched in versions 2.6.9, 2.5.25, and 3.0.0-alpha3. As a workaround, one may patch the effect file `src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php` manually.
Related Weaknesses (CWE)
References
- https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/
- https://github.com/sulu/sulu/commit/02f52fca04eb9495b9b4a0c5cc64cf23bc27f544
- https://github.com/sulu/sulu/security/advisories/GHSA-f6rx-hf55-4255
FAQ
What is CVE-2025-47778?
CVE-2025-47778 is a documented vulnerability. Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via...
How severe is CVE-2025-47778?
CVSS scoring is not yet available for CVE-2025-47778. Check NVD for updates.
Is there a patch for CVE-2025-47778?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.