445 matches found
PT-2025-30911 · Opencart · Opencart 4.1.0.4
Name of the Vulnerable Software and Affected Versions: OpenCart version 4.1.0.4 Description: OpenCart version 4.1.0.4 is susceptible to a Stored Cross-Site Scripting XSS attack through the upload of SVG files used in blog posts. The issue occurs because SVG files uploaded via the media manager ar...
CVE-2025-45893
OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting XSS attack via SVG file uploads used in blog posts. The vulnerability arises because SVG files uploaded through the media manager are not properly sanitized. Attackers can craft a malicious SVG file containing embedded...
Cross-Site Scripting (XSS)
bagisto/bagisto is vulnerable to Cross-Site Scripting. The vulnerability is due to improper validation of uploaded SVG files, which allows an attacker to execute arbitrary code via a crafted file upload...
CVE-2025-46000
An arbitrary file upload vulnerability in the component /rsc/filemanager.rsc.class.php of Filemanager commit c75b914 v.2.5.0 allows attackers to execute arbitrary code via uploading a crafted SVG file...
CVE-2025-45055
Silverpeas 6.4.2 contains a stored cross-site scripting XSS vulnerability in the event management module. An authenticated user can upload a malicious SVG file as an event attachment, which, when viewed by an administrator, executes embedded JavaScript in the admin's session. This allows attacker...
GHSA-49RR-34J5-R8MW juzaweb CMS allows cross-site scripting by uploading an SVG file
A vulnerability classified as problematic was found in juzaweb CMS up to 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admin-cp/file-manager/upload of the component Profile Page. The manipulation of the argument Upload leads to cross site scripting. The attack can...
CVE-2025-4963 WP Extended <= 3.0.15 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, t...
CVE-2025-4963 WP Extended <= 3.0.15 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, t...
CVE-2025-4963
The CVE-2025-4963 entry describes a Stored Cross-Site Scripting (XS S) vulnerability in the WordPress WP Extended plugin. Affected software: WP Extended plugin for WordPress (versions up to and including 3.0.15). Root cause: insufficient input sanitization and output escaping for SVG file uploads...
CVE-2025-21616
Plane is an open-source project management tool. A cross-site scripting XSS vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims'...
CVE-2024-43801
Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI e.g. via "view image" in a...
CVE-2024-3344
The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping. This makes it possible for...
CVE-2024-29319
Volmarg Personal Management System 1.4.64 is vulnerable to SSRF Server Side Request Forgery via uploading a SVG file. The server can make unintended HTTP and DNS requests to a server that the attacker controls...
CVE-2024-27706
Cross Site Scripting vulnerability in Huly Platform v.0.6.202 allows attackers to execute arbitrary code via upload of crafted SVG file to issues...
CVE-2024-5226
The Fuse Social Floating Sidebar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the file upload functionality in all versions up to, and including, 5.4.10 due to insufficient validation of SVG files. This makes it possible for authenticated attackers, with contributor-level...
CVE-2024-23348
Improper input validation vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote...
CVE-2024-47618
Sulu is a PHP content management system. Sulu is vulnerable against XSS whereas a low privileged user with access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ other users including...
CVE-2024-57277
InnoShop V.0.3.8 and below is vulnerable to Cross Site Scripting XSS via SVG file upload...
CVE-2024-8370
A vulnerability classified as problematic was found in Grocy up to 4.2.0. This vulnerability affects unknown code of the file /api/files/recipepictures/ of the component SVG File Upload Handler. The manipulation of the argument forceserveas with the input picture' leads to cross site scripting. T...
CVE-2024-11184
The wp-enable-svg WordPress plugin through 0.7 does not sanitize SVG files when uploaded, allowing for authors and above to upload SVGs containing malicious scripts...