Lucene search
K

445 matches found

Positive Technologies
Positive Technologies
added 2025/07/25 12:0 a.m.10 views

PT-2025-30911 · Opencart · Opencart 4.1.0.4

Name of the Vulnerable Software and Affected Versions: OpenCart version 4.1.0.4 Description: OpenCart version 4.1.0.4 is susceptible to a Stored Cross-Site Scripting XSS attack through the upload of SVG files used in blog posts. The issue occurs because SVG files uploaded via the media manager ar...

6.1CVSS5.5AI score0.00246EPSS
Exploits1References7
Cvelist
Cvelist
added 2025/07/25 12:0 a.m.25 views

CVE-2025-45893

OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting XSS attack via SVG file uploads used in blog posts. The vulnerability arises because SVG files uploaded through the media manager are not properly sanitized. Attackers can craft a malicious SVG file containing embedded...

0.00246EPSS
Exploits1References2
Veracode
Veracode
added 2025/07/23 8:4 a.m.4 views

Cross-Site Scripting (XSS)

bagisto/bagisto is vulnerable to Cross-Site Scripting. The vulnerability is due to improper validation of uploaded SVG files, which allows an attacker to execute arbitrary code via a crafted file upload...

4.8CVSS5.5AI score0.0061EPSS
Exploits1References7Affected Software1
RedhatCVE
RedhatCVE
added 2025/07/20 12:51 a.m.9 views

CVE-2025-46000

An arbitrary file upload vulnerability in the component /rsc/filemanager.rsc.class.php of Filemanager commit c75b914 v.2.5.0 allows attackers to execute arbitrary code via uploading a crafted SVG file...

6.5CVSS7.4AI score0.00448EPSS
Exploits1References1
OSV
OSV
added 2025/06/09 12:0 a.m.6 views

CVE-2025-45055

Silverpeas 6.4.2 contains a stored cross-site scripting XSS vulnerability in the event management module. An authenticated user can upload a malicious SVG file as an event attachment, which, when viewed by an administrator, executes embedded JavaScript in the admin's session. This allows attacker...

5.4CVSS5.8AI score0.00267EPSS
Exploits1References4
OSV
OSV
added 2025/06/02 12:30 a.m.6 views

GHSA-49RR-34J5-R8MW juzaweb CMS allows cross-site scripting by uploading an SVG file

A vulnerability classified as problematic was found in juzaweb CMS up to 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admin-cp/file-manager/upload of the component Profile Page. The manipulation of the argument Upload leads to cross site scripting. The attack can...

5.1CVSS6.2AI score0.00278EPSS
Exploits1References6
Cvelist
Cvelist
added 2025/05/28 9:22 a.m.22 views

CVE-2025-4963 WP Extended <= 3.0.15 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, t...

6.4CVSS0.00244EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2025/05/28 9:22 a.m.6 views

CVE-2025-4963 WP Extended <= 3.0.15 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, t...

6.4CVSS5.8AI score0.00244EPSS
Exploits0References4
CVE
CVE
added 2025/05/28 9:22 a.m.58 views

CVE-2025-4963

The CVE-2025-4963 entry describes a Stored Cross-Site Scripting (XS S) vulnerability in the WordPress WP Extended plugin. Affected software: WP Extended plugin for WordPress (versions up to and including 3.0.15). Root cause: insufficient input sanitization and output escaping for SVG file uploads...

6.4CVSS5.8AI score0.00244EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/05/23 11:34 a.m.7 views

CVE-2025-21616

Plane is an open-source project management tool. A cross-site scripting XSS vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims'...

5.4CVSS5.6AI score0.00263EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/23 10:29 a.m.9 views

CVE-2024-43801

Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI e.g. via "view image" in a...

5.4CVSS5.2AI score0.00346EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/23 10:12 a.m.10 views

CVE-2024-3344

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS5.9AI score0.0032EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 10:8 a.m.10 views

CVE-2024-29319

Volmarg Personal Management System 1.4.64 is vulnerable to SSRF Server Side Request Forgery via uploading a SVG file. The server can make unintended HTTP and DNS requests to a server that the attacker controls...

9.8CVSS6.8AI score0.00385EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/23 10:8 a.m.8 views

CVE-2024-27706

Cross Site Scripting vulnerability in Huly Platform v.0.6.202 allows attackers to execute arbitrary code via upload of crafted SVG file to issues...

6.1CVSS7.4AI score0.00379EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 9:48 a.m.8 views

CVE-2024-5226

The Fuse Social Floating Sidebar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the file upload functionality in all versions up to, and including, 5.4.10 due to insufficient validation of SVG files. This makes it possible for authenticated attackers, with contributor-level...

6.4CVSS5.9AI score0.00311EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 9:42 a.m.9 views

CVE-2024-23348

Improper input validation vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote...

8.8CVSS7.3AI score0.0069EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 8:59 a.m.6 views

CVE-2024-47618

Sulu is a PHP content management system. Sulu is vulnerable against XSS whereas a low privileged user with access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ other users including...

5.4CVSS6.1AI score0.00362EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 7:28 a.m.5 views

CVE-2024-57277

InnoShop V.0.3.8 and below is vulnerable to Cross Site Scripting XSS via SVG file upload...

5.7CVSS6.1AI score0.00451EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 7:18 a.m.7 views

CVE-2024-8370

A vulnerability classified as problematic was found in Grocy up to 4.2.0. This vulnerability affects unknown code of the file /api/files/recipepictures/ of the component SVG File Upload Handler. The manipulation of the argument forceserveas with the input picture' leads to cross site scripting. T...

5.4CVSS4AI score0.00406EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/23 6:56 a.m.5 views

CVE-2024-11184

The wp-enable-svg WordPress plugin through 0.7 does not sanitize SVG files when uploaded, allowing for authors and above to upload SVGs containing malicious scripts...

4.8CVSS6.8AI score0.00408EPSS
Exploits1References1
Rows per page
Query Builder