CVE-2023-53928 MEDIUM

CVE-2023-53928: PHPFusion 9.10.30 Stored Cross-Site Scripting via File Manager Upload

Vendor Php-Fusion
Product PHPFusion
Weakness CWE-79 · XSS
Published December 17, 2025
Last update April 7, 2026
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session information or performing client-side attacks.

Key dates

02Disclosure timeline

December 17, 2025 CVE published
April 7, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-53301 WordPress Theme Junkie Team Content plugin <= 0.1.1 - Cross Site Scripting (XSS) Vulnerability CVE-2025-3824 SourceCodester Web-based Pharmacy Product Management System add-product.php cross site scripting CVE-2024-43721 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79) CVE-2025-53500 Stored XSS in MassEditRegex CVE-2026-1910 UpMenu <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'upmenu-menu' Shortcode 'lang' Attribute