Security Releases
When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.
-
CVE-2026-55779 XSS in archive admin restore
- Severity:
- Medium (?)
- Identifier:
- CVE-2026-55779
- Versions Affected:
- silverstripe/versioned: < 3.2.1
- Versions Fixed:
- silverstripe/versioned: 3.2.1
- Release Date:
- 2026-06-24
It's possible to use the page title as an XSS vector when restoring a page in ArchiveAdmin
Base CVSS: 5.4
Reported by: Steve Boyd, Silverstripe Ltd. -
CVE-2026-54721 Remote code execution via userforms email subject
- Severity:
- High (?)
- Identifier:
- CVE-2026-54721
- Versions Affected:
- silverstripe/userforms: < 6.4.9 || >= 7.0.0, < 7.0.7 || >= 7.1.0, < 7.1.1
- Versions Fixed:
- silverstripe/userforms: 6.4.9, 7.0.7, 7.1.1
- Release Date:
- 2026-06-24
The userform email subject field in the CMS is vulnerable to a specially crafted payload being used to run arbitrary code on the server.
Base CVSS: 8.8
Reported by: Jack Wallace from Bastion Security -
CVE-2026-54720 XSS attack through media embed
- Severity:
- Medium (?)
- Identifier:
- CVE-2026-54720
- Versions Affected:
- silverstripe/framework: < 6.2.2
- Versions Fixed:
- silverstripe/framework: 6.2.2
- Release Date:
- 2026-06-24
The "Insert media from web" functionality in the CMS is vulnerable to XSS from a specially crafted embed.
Base CVSS: 5.4
Reported by: Jack Wallace from Bastion Security -
CVE-2026-54718 Remote code execution via advanced workflow email template
- Severity:
- High (?)
- Identifier:
- CVE-2026-54718
- Versions Affected:
- symbiote/silverstripe-advancedworkflow: < 6.4.5 || >= 7.0.0, < 7.1.3 || >= 7.2.0, < 7.2.1
- Versions Fixed:
- symbiote/silverstripe-advancedworkflow: 6.4.5, 7.1.3, 7.2.1
- Release Date:
- 2026-06-24
The advanced workflow email template field is vulnerable to a specially crafted payload that can be used to run arbitrary code on the server.
Base CVSS: 7.2
Reported by: Steve Boyd, Silverstripe Ltd. -
CVE-2026-54717 XSS in breadcrumbs in page list view
- Severity:
- Medium (?)
- Identifier:
- CVE-2026-54717
- Versions Affected:
- silverstripe/cms: < 6.2.1
- Versions Fixed:
- silverstripe/cms: 6.2.1
- Release Date:
- 2026-06-24
Page breadcrumbs in the CMS are vulnerable to XSS when viewed using the page list view
Base CVSS: 5.4
Reported by: Fase Rais Baradika -
CVE-2026-24749 DBFile permission bypass
- Severity:
- Medium (?)
- Identifier:
- CVE-2026-24749
- Versions Affected:
- silverstripe/assets: <2.4.5, >=3.0.0 <3.1.3
- Versions Fixed:
- silverstripe/assets: 2.4.5, 3.1.3
- Release Date:
- 2026-04-16
Images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions.
Base CVSS: 5.3
Reported by: Restruct web & apps -
SS-2025-001 User enumeration via timing attack
- Severity:
- Medium (?)
- Identifier:
- SS-2025-001
- Versions Affected:
- silverstripe/framework: <5.3.23
- Versions Fixed:
- silverstripe/framework: 5.3.23
- Release Date:
- 2025-04-10
User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials.
This was originally disclosed in https://www.silverstripe.org/download/security-releases/ss-2017-005/ for CMS 3 but was not patched in CMS 4+
Base CVSS: 5.3
-
CVE-2025-30148 XSS vulnerability in HTML editor
- Severity:
- Medium (?)
- Identifier:
- CVE-2025-30148
- Versions Affected:
- silverstripe/framework: <5.3.23
- Versions Fixed:
- silverstripe/framework: 5.3.23
- Release Date:
- 2025-04-10
A bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it.
The server-side sanitisation logic has been updated to sanitise against this attack.
Base CVSS: 5.4
Reported by: James Nicoll from Fujitsu Cyber -
CVE-2025-25197 XSS attack in elemental "Content blocks in use" report
- Severity:
- Medium (?)
- Identifier:
- CVE-2025-25197
- Versions Affected:
- dnadesign/silverstripe-elemental: <5.3.12
- Versions Fixed:
- dnadesign/silverstripe-elemental: 5.3.12
- Release Date:
- 2025-04-10
An elemental block can include an XSS payload, which can be executed when viewing the "Content blocks in use" report.
The vulnerability is specific to that report and is a result of failure to cast input prior to including it in the grid field.
Base CVSS: 5.4
Reported by: Guy Sartorelli from Silverstripe Ltd. -
SS-2024-002 Reflected Cross Site Scripting (XSS) in error message
- Severity:
- None (?)
- Identifier:
- SS-2024-002
- Versions Affected:
- silverstripe/framework: <5.3.8
- Versions Fixed:
- silverstripe/framework: 5.3.8
- Release Date:
- 2025-01-15
This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has been misconfigured, and you should immediately swap it to "live" mode.
See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information.If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message.
-
CVE-2024-53277 XSS in form messages
- Severity:
- Medium (?)
- Identifier:
- CVE-2024-53277
- Versions Affected:
- silverstripe/framework: <5.3.8
- Versions Fixed:
- silverstripe/framework: 5.3.8
- Release Date:
- 2025-01-15
In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message.
Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability.
Base CVSS: 5.4
Reported by: Leo Diamat from Bastion Security Group -
CVE-2024-47605 XSS via insert media remote file oembed
- Severity:
- Medium (?)
- Identifier:
- CVE-2024-47605
- Versions Affected:
- silverstripe/framework: <5.3.8
- Versions Fixed:
- silverstripe/framework: 5.3.8
- Release Date:
- 2025-01-15
When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website.
See https://docs.silverstripe.org/en/developer_guides/forms/field_types/htmleditorfield/#sandboxing-oembed-html for details about configuring embed sandboxing.
Base CVSS: 5.4
Reported by: James Nicoll from Fujitsu Cyber Security Services -
SS-2024-001 TinyMCE allows svg files linked in object tags
- Severity:
- Medium (?)
- Identifier:
- SS-2024-001
- Versions Affected:
- silverstripe/framework: <5.2.16
- Versions Fixed:
- silverstripe/framework: 5.2.16
- Release Date:
- 2024-07-17
TinyMCE v6 has a configuration value convert_unsafe_embeds set to false which allows svg files containing javascript to saved which can be used as a vector for XSS attacks
After patching the default value of convert_unsafe_embeds will be set to true. This means that object tags will be converted to iframes instead the next time the page is saved, which may break any pages that rely upon previously saved object tags. Users are to override this config if desired so that object tags are again used instead of iframes. Note that embed tags are not allowed by default.
We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS.This vulnerability was described by TinyMCE as follows:
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an
objectorembedelement and that image could potentially contain a XSS payload.Base CVSS: 5.4
Reported by: Steve Boyd - Silverstripe CMS SquadReferences
-
CVE-2024-32981 XSS Vulnerability with text/html base64-encoded payload
- Severity:
- Medium (?)
- Identifier:
- CVE-2024-32981
- Versions Affected:
- silverstripe/framework: <5.2.16
- Versions Fixed:
- silverstripe/framework: 5.2.16
- Release Date:
- 2024-07-17
A specially crafted XSS payload could be inserted into a field in the CMS when logged in as a CMS user with regular permissions. This XSS could be executed either in the CMS or on the front-end of the website.
Base CVSS: 5.4
Reported by: Jack Wallace from Bastion SecurityReferences
-
CVE-2024-29885 Reports are still accessible even when canView is set to false
- Severity:
- Medium (?)
- Identifier:
- CVE-2024-29885
- Versions Affected:
- silverstripe/reports: <5.2.3
- Versions Fixed:
- silverstripe/reports: 5.2.3
- Release Date:
- 2024-07-17
The `Report` class has a `canView` method. If that method is configured to return `false`, the current user should not be able to view the report. While the report list will omit any `canView` `false` reports, those reports can still access them directly assuming the user has the `CMS_ACCESS_ReportAdmin` permission.
After patching the `canView` check will be properly respectedBase CVSS: 4.3
Reported by: Nate Devereux and Fiona Black from Silverstripe Ltd.References