EasyAdmin: Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField
High severity
GitHub Reviewed
Published
Jun 4, 2026
in
EasyCorp/EasyAdminBundle
•
Updated Jul 14, 2026
Package
Affected versions
>= 5.0.0, < 5.0.13
Patched versions
5.0.13
Description
Published to the GitHub Advisory Database
Jul 14, 2026
Reviewed
Jul 14, 2026
Last updated
Jul 14, 2026
EasyAdmin's
FileFieldandImageFieldaccept browser-executable file types by default (FileFieldapplies no MIME/extension restrictions;ImageField's defaultImageconstraint accepts SVG). When the upload directory is configured inside the public web root — as shown in the documentation — EasyAdmin links to the stored file inline (no download attribute orContent-Disposition: attachment).An attacker with access to a form using these fields can upload an
.html(FileField) or.svg(ImageField) file containing JavaScript. When another user opens it from the backend, it is served from the same origin and the script executes in the context of their authenticated admin session, enabling session/CSRF-token theft or privilege escalation.Exploitation requires the developer to store uploads in the public directory and a privilege gap between the uploading user and the viewing administrator. This is stored XSS only — it does not allow remote code execution, because uploaded filenames are derived from Symfony's
guessExtension(), which never produces.php/.phtml.Credit
We would like to thank Emre Dogan for reporting the issue.
References