EUVD-2026-32528

Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type e.g., text/plain...

CVE-2026-39311 Trilium Notes: Stored XSS Leads to Unauthorized Remote Code Execution (RCE) via Unsanitized SVG Attachments

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Versions 0.102.1 and prior contain a critical security flaw where lack of SVG sanitization combined with a disabled Content Security Policy CSP and a publicly reachable...

Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure

Details The application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as tags or event handlers like onload. The application does not sanitize SVG content before storing it. When the uploaded SVG file is...

EUVD-2022-6058

Malicious code in bioql PyPI...

CVE-2022-1982

Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post...

CVE-2024-56358 Cross-site Scripting vulnerability through svg attachment previews in grist-core

grist-core is a spreadsheet hosting server. A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are...

CVE-2024-56358 Cross-site Scripting vulnerability through svg attachment previews in grist-core

grist-core is a spreadsheet hosting server. A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are...

CVE-2023-1776 Stored XSS via SVG attachment on Boards

Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file...

CVE-2023-1776 Stored XSS via SVG attachment on Boards

Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file...

SUSE CVE-2017-15574

In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible by using an SVG document as an attachment...

Mattermost Resource Management Error Vulnerability (CNVD-2022-65349)

Mattermost is an open source collaboration platform from Mattermost, Inc. A resource management error vulnerability exists in versions prior to Mattermost 6.6.0, which stems from uncontrolled consumption of resources and can be exploited by an attacker to crash the server via a specially crafted...

GHSA-GWPF-95JC-63RV Uncontrolled Resource Consumption in Mattermost server

Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post...

Uncontrolled Resource Consumption in Mattermost server

Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post...

Code injection

Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post...

CVE-2022-1982

CVE-2022-1982 affects Mattermost up to version 6.6.0. The issue is an Uncontrolled resource consumption triggered by processing a crafted SVG attachment in a post, allowing an authenticated attacker to crash the server. The provided documents do not specify a patch version or remediation steps.

CVE-2022-1982 A crafted SVG attachment can crash a Mattermost server

Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post...

Persistent Cross-site Scripting vulnerability in PrivateBin

In PrivateBin polygon id="triangle" points="0,0 0,50 50,0" fill="00990...

CVE-2022-24833 Persistent Cross-site Scripting (XSS) vulnerability in PrivateBin

PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin v1.4.0 a cross-site scripting XSS vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called...

MoinMoin Cross-Site Scripting Vulnerability

MoinMoin is a set of open source , scalable wiki engine program based on the Python environment . A cross-site scripting vulnerability exists in versions prior to MoinMoin 1.9.11, which can be exploited by an attacker to trigger cross-site scripting via an SVG attachment in order to run JavaScrip...

GHSA-4Q96-6XHQ-FF43 malicious SVG attachment causing stored XSS vulnerability

Impact An attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Patches Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 ha...