CVE-2026-33311

DiceBear is an avatar library for designers and developers. Starting in version 5.0.0 and prior to versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, SVG attribute values derived from user-supplied options backgroundColor, fontFamily, textColor were not XML-escaped before interpolation into SVG...

CVE-2026-30948

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting XSS vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with...

CVE-2026-32940 SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with JavaScript execution. Th...

OPENSUSE-SU-2026:20323-1 Security update for roundcubemail

This update for roundcubemail fixes the following issues: Changes to roundcubemail: Update to 1.6.13: This is a security update to the stable version 1.6 of Roundcube Webmail. It provides fixes to recently reported security vulnerabilities: + Fix CSS injection vulnerability reported by CERT Polsk...

NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content

Summary A Cross-Site Scripting XSS vulnerability exists in the ui.interactiveimage component of NiceGUI v3.3.1 and earlier. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG tag. Detail...

CVE-2025-66512 Nextcloud Server vulnerable to XSS in SVG images when opened outside of Nextcloud

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside...

CVE-2025-66512 Nextcloud Server vulnerable to XSS in SVG images when opened outside of Nextcloud

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside...

CVE-2025-66512 Nextcloud Server vulnerable to XSS in SVG images when opened outside of Nextcloud

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside...

EUVD-2023-0483

Malicious code in bioql PyPI...

CVE-2025-59525 Horilla has Improper Input Sanitization Leading to XSS and Admin Account Takeover

Horilla is a free and open source Human Resource Management System HRMS. Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG and via allowed , which can be chained to execute JavaScript whenever users view impacted content e.g., announcements. This can...

PT-2024-17544

Name of the Vulnerable Software and Affected Versions Jirafeau affected versions not specified Description The issue concerns a case insensitive MIME type bypass that enables SVG XSS in Jirafeau. Normally, Jirafeau prevents browser preview for SVG files to prevent cross-site scripting exploitatio...

CVE-2024-54123

Backdrop CMS before 1.28.4 and 1.29.x before 1.29.2 allows XSS via an SVG document, if the SVG tag is allowed for a text format...

CVE-2024-9068

The OneElements – Best Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2024-41052 · Unknown · Roundcube Webmail

Name of the Vulnerable Software and Affected Versions: Roundcube Webmail versions 1.6.x Description: The issue concerns several security problems, including cross-site scripting XSS vulnerabilities in handling SVG animate attributes and list columns from user preferences, as well as a command...

CVE-2022-21948

An Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in paste allows remote attackers to place Javascript into SVG files. This issue affects: openSUSE paste paste version b57b9f87e303a3db9465776e657378e96845493b and prior versions...