CVE-2026-28436

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 an...

CVE-2026-28436 Frappe: Stored XSS in avatar_macro.html

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 an...

CVE-2026-28436 Frappe: Stored XSS in avatar_macro.html

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 an...

CVE-2025-65267

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting XSS. Successful...

PT-2025-48816

Name of the Vulnerable Software and Affected Versions ERPNext version 15.83.2 Frappe Framework version 15.86.0 Description Improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the...

CVE-2025-11945

A vulnerability was identified in toeverything AFFiNE up to 0.24.1. This vulnerability affects unknown code of the component Avatar Upload Image Endpoint. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The...

CVE-2025-11945

AFFiNE (toeverything) up to version 0.24.1 contains a cross-site scripting flaw in the Avatar Upload Image Endpoint due to manipulation of unknown code paths. The issue can be exploited remotely and a public exploit exists; vendor did not respond to disclosure. No remediation details are provided...

CVE-2025-11945 toeverything AFFiNE Avatar Upload Image Endpoint cross site scripting

A vulnerability was identified in toeverything AFFiNE up to 0.24.1. This vulnerability affects unknown code of the component Avatar Upload Image Endpoint. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The...

CVE-2025-11941

A vulnerability was detected in e107 CMS up to 2.3.3. This impacts an unknown function of the file /e107admin/image.php?mode=main&action=avatar of the component Avatar Handler. Performing manipulation of the argument multiaction results in path traversal. It is possible to initiate the attack...

EUVD-2021-28673

Malicious code in bioql PyPI...

EUVD-2023-12905

Malicious code in bioql PyPI...

CVE-2023-0918

A vulnerability has been found in codeprojects Pharmacy Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file add.php of the component Avatar Image Handler. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The...

Unrestricted Upload Of File With Dangerous Type

ZITADEL is vulnerable to Unrestricted Upload of File with Dangerous Type. The vulnerability is caused by bypassing the ContentTypeAllowed function in asset.go with a malicious avatar image upload. Files with MIME types not intended for use as avatar images are allowed. To be vulnerable, a differe...

CVE-2024-29891 ZITADEL Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass

ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed image in th...

Improper Authorization

github.com/IceWhaleTech/CasaOS-UserService is vulnerable to Improper Authorization. The vulnerability is due to improper path filtering in the URL of user avatar image files. The regular expression used in the code snippet fails to sufficiently restrict access, allowing unauthorized actors to...

PT-2024-20543 · Unknown · Casaos-Userservice

Name of the Vulnerable Software and Affected Versions: CasaOS-UserService versions prior to 0.4.7 Description: The issue concerns a path traversal vulnerability in the UserService API, which allows an unauthorized actor to access any file on the system due to insufficient path filtering for user...

CVE-2024-23826 Uploading an image with a specific filename causes a server-side DoS

spbusesite is the website of the Department of System Programming of St. Petersburg State University. Before 2024.01.29, when uploading an avatar image, an authenticated user may intentionally use a large Unicode filename which would lead to a server-side denial of service under Windows. This is...

CVE-2023-47115

CVE-2023-47115 : Label Studio before version 1.9.2 contains an XSS vulnerability via avatar upload. The vulnerability stems from the avatar handling in label_studio/users/functions.py, which only validates that the uploaded file is an image by checking dimensions; it does not securely validate th...

CVE-2023-47115 Label Studio XSS Vulnerability on Avatar Upload

Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting XSS vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary...

PT-2024-13407 · Django +1 · Django +1

Name of the Vulnerable Software and Affected Versions: Label Studio versions prior to 1.9.2 Description: The issue is a cross-site scripting XSS vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the...