Webmin 跨站脚本漏洞

Webmin is a set of web-based system management tools for Unix-like operating systems, developed by the Webmin community. Versions of Webmin prior to 2.640 contained a cross-site scripting vulnerability. This vulnerability occurred when viewing SVG document attachments in the mailboxes component,...

CVE-2026-39311

Trilium Notes (versions ≤ 0.102.1) contains a critical RCE due to insecure SVG handling: serving SVG attachments as image/svg+xml without sanitization, with Helmet CSP disabled and a publicly reachable backend execution API. The attacker can leverage Same-Origin Policy to fetch the document’s csr...

PT-2026-42225

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Versions 0.102.1 and prior contain a critical security flaw where lack of SVG sanitization combined with a disabled Content Security Policy CSP and a publicly reachable...

CVE-2026-33741 EspoCRM: Stored XSS via SVG attachment loading same-origin JavaScript

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment and image entry...

CVE-2026-33741

EspoCRM prior to version 9.3.4 is affected by a Stored XSS via SVG attachments loading same-origin JavaScript. Versions 9.3.3 and earlier allow authenticated users to upload SVG attachments (through normal attachment fields) and later serve those SVGs as top-level inline documents via attachment ...

EUVD-2021-34787

CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file...

CVE-2021-47925

CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file...

CVE-2021-47925 CMDBuild 3.3.2 Multiple Stored Cross-Site Scripting

CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file...

Vikunja 跨站脚本漏洞

Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja prior to 2.0.0 had a cross-site scripting vulnerability. This vulnerability stemmed from allowing users to upload SVG files as task attachments without cleaning the SVG content. As a result, embedded...

EUVD-2017-7026

Malware in sbrugna...

EUVD-2022-1711

Malicious code in bioql PyPI...

Cross site scripting

An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, filedownload.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScri...

MantisBT 跨站脚本漏洞

MantisBT is the Mantisbt team of a Web-based open source defect tracking system . The system provides project management and defect tracking services in the form of Web operations. A cross-site scripting vulnerability exists in MantisBT versions prior to 2.25.5, which originated from a...

Debian DLA-2446-1 : moin security update

Two vulnerabilities were discovered in moin, a Python clone of WikiWiki. CVE-2020-15275 Catarina Leite discovered that moin is prone to a stored XSS vulnerability via SVG attachments. CVE-2020-25074 Michael Chapman discovered that moin is prone to a remote code execution vulnerability via the cac...

UBUNTU-CVE-2017-15574

In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible by using an SVG document as an attachment...