93 matches found
CVE-2026-39970 TypeBot: Stored Cross-Site Scripting (XSS) via SVG File Upload On Profile Picture Form
TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading ...
CVE-2026-39970
The CVE covers TypeBot (chatbot builder) ≤ version 3.15.2, where the profile picture upload form fails to sanitize SVG/XML uploads and directly renders them. This enables stored XSS via crafted SVGs containing JavaScript, with payload stored on app.typebot.io and accessible via a permanent link, ...
CVE-2026-39970 TypeBot: Stored Cross-Site Scripting (XSS) via SVG File Upload On Profile Picture Form
TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading ...
CVE-2025-51414
In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page...
CVE-2025-51414
In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page...
CVE-2025-51414
Phpgurukul Online Course Registration v3.1 is affected by an arbitrary file upload vulnerability in the profile picture upload at /my-profile.php. The CVE details indicate a high-severity issue (CVSS 3.1: 8.8) with network access and low attacker/authentication requirements, enabling total impact...
CVE-2025-51414
In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page...
CVE-2026-5472
CVE-2026-5472 affects ProjectsAndPrograms School Management System (up to build 6b6fae5426044f89c08d0dd101c7fa71f9042a59). The vulnerability lies in the Profile Picture Handler, specifically an unknown function in /admin_panel/settings.php that manipulates the File argument to cause unrestricted ...
CVE-2025-70151
code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code execution via unrestricted file upload. The endpoints updateprofilepicture.php and uploadpicture.php store uploaded files in a web-accessible uploads/ directory using the original, user-supplied...
CVE-2023-4536
The My Account Page Editor WordPress plugin before 1.3.2 does not validate the profile picture to be uploaded, allowing any authenticated users, such as subscriber to upload arbitrary files to the server, leading to RCE...
CVE-2024-2299
A stored Cross-Site Scripting XSS vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malicious HTML files containing JavaScript code, which is...
CVE-2024-2288
A Cross-Site Request Forgery CSRF vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting versions up to 7.3.0. This vulnerability allows attackers to change a victim's profile picture without thei...
EUVD-2020-19220
Malware in sbrugna...
EUVD-2018-2030
Malware in sbrugna...
EUVD-2024-50553
Malicious code in bioql PyPI...
EUVD-2023-41664
Malicious code in bioql PyPI...
EUVD-2023-2992
Malicious code in bioql PyPI...
EUVD-2022-7364
Malicious code in bioql PyPI...
EUVD-2025-9754
Malicious code in bioql PyPI...
EUVD-2024-27243
Malicious code in bioql PyPI...