Shopware: Stored XSS via SVG file upload — no SVG sanitization

SVG files are in the allowedextensions whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript onload, , executes in the context of the Shopware domain when accessed. The Problem...

CVE-2026-38948

Cross-Site Scripting XSS vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code...

CVE-2026-40487

Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the Content-Type header. The uploaded files are then served by nginx with a...

CVE-2026-25100 Stored XSS via SVG File Upload in Bludit

Bludit is vulnerable to Stored Cross-Site Scripting XSS in its image upload functionality. An authenticated attacker with content upload privileges such as Author, Editor, or Administrator can upload an SVG file containing a malicious payload, which is executed when a victim visits the URL of the...

CVE-2025-65734

An authenticated arbitrary file upload vulnerability in the Courses/Work Assignments module of gunet Open eClass v3.11, and fixed in v3.13, allows attackers to execute arbitrary code via uploading a crafted SVG file...

CVE-2026-3749 Bytedesk SVG File UploadRestService.java handleFileUpload unrestricted upload

A weakness has been identified in Bytedesk up to 1.3.9. This vulnerability affects the function handleFileUpload of the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestService.java of the component SVG File Handler. Executing a manipulation can lead to unrestricted upload. The...

CVE-2026-3748

A CVE-2026-3748 vulnerability affects Bytedesk up to 1.3.9 in the SVG File Handler’s UploadRestController.uploadFile function. The flaw allows unrestricted file upload via manipulation of the uploadFile endpoint, with remote exploitation reported as possible and the exploit released publicly. A f...

CVE-2026-3748 Bytedesk SVG File UploadRestController.java uploadFile unrestricted upload

A security flaw has been discovered in Bytedesk up to 1.3.9. This affects the function uploadFile of the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestController.java of the component SVG File Handler. Performing a manipulation results in unrestricted upload. Remote exploitati...

CVE-2021-47783

Phpwcms 1.9.30 contains a file upload vulnerability that allows authenticated attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG payloads through the multiple file upload feature to potentially execute cross-site scripting attacks on the platform...

CVE-2023-49279

Umbraco is an ASP.NET content management system CMS. Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a...

CVE-2026-0627

CVE-2026-0627 affects the AMP for WP plugin for WordPress (vulnerable up to 1.1.10). It is a stored XSS via malicious SVG uploads; requires Author-level authentication and executes when a user views the uploaded file. The issue arises from insufficient sanitization that only removes script tags, ...

CVE-2024-2324

The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers t...

CVE-2025-14120 URL Image Importer <= 1.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. This makes it possible for authenticated attackers, with Author-level access and above, to injec...

CVE-2025-14120 URL Image Importer <= 1.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. This makes it possible for authenticated attackers, with Author-level access and above, to injec...

CVE-2023-53909 WBCE CMS 1.6.1 SVG File Content Cross-Site Scripting

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the...

CVE-2023-53903 WebsiteBaker 2.13.3 Stored Cross-Site Scripting via SVG File Upload

WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, enabling persistent cross-site scripting...

CVE-2025-12570 Fancy Product Designer <= 6.4.8 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.php and pdf-to-image.php files. This makes it possible for...

WordPress BSK PDF Manager plugin <= 3.7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via SVG File Upload vulnerability discovered by rajanhoyr in WordPress Plugin BSK PDF Manager versions = 3.7.1...

CVE-2025-9163 Houzez <= 4.1.6 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzezpropertyimgupload and houzezpropertyattachmentupload functions. This makes it possib...

CVE-2025-9163

The CVE-2025-9163 entry concerns the WordPress Houzez theme vulnerable to Stored Cross-Site Scripting via SVG file uploads in versions up to 4.1.6. Root cause: insufficient input sanitization and output escaping in the functions houzez_property_img_upload() and houzez_property_attachment_upload()...