21 matches found
📄 ThingsBoard IoT Platform 4.2.0 Server-Side Request Forgery
ThingsBoard IoT Platform version 4.2.0 suffers from a server-side request forgery vulnerability. Exploit Title: ThingsBoard IoT Platform 4.2.0 - Server-Side Request Forgery SSRF Date: 2026-03-25 Exploit Author: Tamil Mathi T. Vendor Homepage: https://thingsboard.io Software Link:...
CVE-2026-25648
Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without...
CVE-2026-22254
CVE-2026-22254 affects Winter CMS prior to 1.2.10, where the Asset Manager allowed uploading SVGs without automatic sanitization if a user had cms.manage_assets. This could enable stored XSS in affected deployments, since the attacker must have backend access with that permission. The issue is fi...
PT-2025-48282
Name of the Vulnerable Software and Affected Versions ThingsBoard versions prior to 4.2.1 Description An authenticated user can upload malicious SVG images through the "Image Gallery". This leads to a Stored Cross-Site Scripting XSS issue. The exploit is triggered when any user accesses the publi...
EUVD-2021-23471
Malware in sbrugna...
EUVD-2018-4279
Malware in sbrugna...
EUVD-2022-3854
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2020-8035
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting XSS vulnerability via an SVG image...
📄 AlegroCart 1.2.9 Cross Site Scripting
AlegroCart version 1.2.9 suffers from persistent and reflective cross site scripting vulnerabilities. Exploit Title: XSS via SVG Image Upload - alegrocartv1.2.9 Date: 04/2025 Exploit Author: Andrey Stoykov Version: 1.2.9 Tested on: Debian 12 Blog: https://msecureltd.blogspot.com/ XSS via SVG Imag...
Cross-site Scripting (XSS)
Overview backdrop/backdrop is a CMS that helps you build websites for businesses and non-profits. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to insufficient validation of uploaded SVG images. A user with SVG upload privileges who convinces another user to...
CVE-2025-21616 Plane has a Cross-site scripting (XSS) via SVG image upload
Plane is an open-source project management tool. A cross-site scripting XSS vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims'...
CVE-2025-21616 Plane has a Cross-site scripting (XSS) via SVG image upload
Plane is an open-source project management tool. A cross-site scripting XSS vulnerability has been identified in Plane versions prior to 0.23. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims'...
CVE-2024-5521
Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user having the roles of gallery editor or VFS resource manager will have the permission to upload images in the .svg format containing JavaScript code. The code will be...
Cross-site Scripting (XSS)
ghost is vulnerable to Cross-Site Scripting. The vulnerability is due to missing santization during svg image upload. An attacker can upload a SVG profile picture containing JavaScript code which interacts with the API on localhost TCP port 3001, allowing a contributor to potentially take over an...
CVE-2023-48114
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS by using image/svg+xml and an uploaded SVG document. This occurs because the application tries to allow youtube.com URLs, but actually allows youtube.com followed by an @ character and an attacker-controlled domain name...
CVE-2021-36895
Unauthenticated Cross-Site Scripting XSS vulnerability in Tripetto's Tripetto plugin = 5.1.4 on WordPress via SVG image upload...
Cross site scripting
Unauthenticated Cross-Site Scripting XSS vulnerability in Tripetto's Tripetto plugin = 5.1.4 on WordPress via SVG image upload...
CVE-2021-36895 WordPress Tripetto plugin <= 5.1.4 - Unauthenticated Cross-Site Scripting (XSS) vulnerability via SVG image upload
Unauthenticated Cross-Site Scripting XSS vulnerability in Tripetto's Tripetto plugin = 5.1.4 on WordPress via SVG image upload...
CVE-2021-36895
CVE-2021-36895: Unauthenticated XSS in WordPress Tripetto plugin versions <= 5.1.4 via SVG image upload. Root cause per CNVD/CNNVD entries is lack of filtering/escaping for uploaded SVG data. Affected: Tripetto WordPress plugin
CVE-2020-8035
The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting XSS vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL...