Intel

AIKIDO-2026-242641

silverstripe/framework is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)CVE-2026-54720 Published Jun 24, 2026

54

Medium Risk

This Affects:

PHPsilverstripe/framework
3.0.0 - 6.2.1
Fixed in 6.2.2
Are you affected? Scan for Free

TL;DR

The silverstripe/framework CMS exposes an Insert media from web feature that renders oEmbed results through EmbedShortcodeProvider. When the resolved embed HTML contains two or fewer tags, sandboxHtml returns it directly into the page instead of isolating it in a sandboxed iframe, so the embed markup runs in the context of the main document. An attacker who controls the embed response can include event-handler attributes such as onload or a javascript: or data: iframe source, causing script to execute in a CMS user's browser. The fix strips unknown and dangerous attributes and rejects unsafe URL schemes on non-sandboxed iframes.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your CMS lets authors insert media from web (embed) URLs that can be attacker-influenced.

Background info

silverstripe/framework is vulnerable to Cross-Site Scripting (XSS) in versions 3.0.0 - 6.2.1.

How to fix this

Upgrade the silverstripe/framework library to the patch version.