Cross-site Scripting (XSS) - Stored in forkcms/forkcms


Reported on

Oct 20th 2021


When uploading a new theme, the description of a theme can contain JavaScript code. This can be used for Cross-Site-Scripting.

Proof of Concept

  • I downloaded the Kompact theme (, extracted it and changed in info.xml the description part to:
  • After adjusting info.xml, I packed all files back into a zip file and uploaded it in ForkCMS.

  • When the user opens the "Details" page of the theme, the JavaScript code (th alert) will be executed.


  • Executing any JavaScript an attacker could think of. By default, it is used to steal session cookies.


We have contacted a member of the forkcms team and are waiting to hear back a year ago
Jelmer Prins validated this vulnerability a year ago
kstarkloff has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jelmer Prins
a year ago


fix is currently in review

Jelmer Prins marked this as fixed in 5.11.1 with commit 981730 a year ago
Jelmer Prins has been awarded the fix bounty
This vulnerability will not receive a CVE
Model.php#L903 has been validated
to join this conversation