CVE-2018-25157 MEDIUM

CVE-2018-25157: Phraseanet 4.0.3 Stored XSS via Document Upload

Vendor Phraseanet

Product Phraseanet DAM Open Source

Weakness CWE-79 · XSS

Published February 11, 2026

Last update February 11, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Phraseanet 4.0.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through crafted file names during document uploads. Attackers can upload files with embedded SVG scripts that execute in the browser, potentially stealing cookies or redirecting users when the file is viewed.

Key dates

02Disclosure timeline

February 11, 2026 CVE published

February 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2018-25157 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2018-25157

CWE CWE-79

CVSS 5.1 / MEDIUM

Affected versions

Vendor Phraseanet

Product Phraseanet DAM Open Source

Affected <= 4.0.3

Vendor Phraseanet

Product Phraseanet DAM Open Source

Affected 4.0.4-dev

CVE-2018-25157: Phraseanet 4.0.3 Stored XSS via Document Upload

01Description

02Disclosure timeline

03References

04Related CVE