Lucene search
K

1457 matches found

Nuclei
Nuclei
added 17 hours ago33 views

WordPress Mapplic <= 6.1 / Mapplic Lite <= 1.0 - Authenticated Stored XSS via SVG File Upload

The Mapplic and Mapplic Lite plugins for WordPress are vulnerable to Stored Cross-Site Scripting via arbitrary URL injection in versions up to and including 6.1 and 1.0 respectively. Authenticated users with author-level permissions can inject arbitrary remote URLs for SVG map files. When a user...

8.3CVSS6.2AI score0.01133EPSS
Exploits1References4
Cvelist
Cvelist
added 3 days ago31 views

CVE-2026-55466 Snipe-IT: Stored XSS via inline-served attachment

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UploadFileRequest sanitizes SVG content only when PHP finfo reports image/svg+xml and UploadedFilesController serves attachments inline without using StorageHelper::allowSafeInline, allowing a low-privilege user to upload active...

6.2CVSS0.00351EPSS
Exploits0References3
NVD
NVD
added 3 days ago6 views

CVE-2026-61456

The Grav API plugin getgrav/grav-plugin-api before 1.0.3 fails to sanitize SVG files uploaded through the POST /api/v1/media endpoint. The HandlesMediaUploads::processUploadedFile method validates only the file extension and never invokes Security::sanitizeSVG, so an authenticated attacker with t...

5.1CVSS0.00141EPSS
Exploits0References2
CVE
CVE
added 3 days ago10 views

CVE-2026-15321

CVE-2026-15321 (MyEMS Admin Backend) affects myems-api/core/svg.py, function on_post, in MyEMS

4.8CVSS4.3AI score0.0022EPSS
Exploits0References8
NVD
NVD
added 4 days ago6 views

CVE-2026-53962

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, insufficient SVG sanitization in upload and user avatar handling could lead to cross-site scripting when a user visited specific URLs that are not normally part of community browsing. This issue ...

5.4CVSS0.00264EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-56999

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.6.0 Discourse versions prior to 2026.5.1 Discourse versions prior to 2026.4.2 Discourse versions prior to 2026.1.5 Description Insufficient SVG sanitization during the handling of uploads and user avatars can...

5.4CVSS6AI score0.00264EPSS
Exploits0References12
Vulnrichment
Vulnrichment
added 2026/07/02 7:37 p.m.5 views

CVE-2025-71385 Netdata < 2.3.1 - Reflected Cross-Site Scripting via love Parameter in ilove.svg Endpoint

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document into a text element without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a U...

6.1CVSS5.9AI score0.0024EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/02 7:37 p.m.8 views

CVE-2025-71385

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document into a text element without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a U...

6.1CVSS5.7AI score0.0024EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.5 views

PT-2026-54833

Name of the Vulnerable Software and Affected Versions MCO version 25.3.3.1 Description The software is subject to Stored Cross-Site Scripting XSS, a flaw where malicious scripts are permanently stored on the target server. This occurs through the application logo upload functionality, allowing an...

5.4CVSS5.8AI score0.0014EPSS
Exploits0References7
Tenable Nessus
Tenable Nessus
added 2026/07/01 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2026-14013

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Inappropriate implementation in SVG in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. Chromium...

4.3CVSS6.2AI score0.0019EPSS
Exploits0References2
OSV
OSV
added 2026/06/30 11:17 p.m.2 views

DEBIAN-CVE-2026-14013

Inappropriate implementation in SVG in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. Chromium security severity: Medium...

4.3CVSS5.8AI score0.0019EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/30 10:37 p.m.7 views

CVE-2026-13793

Insufficient policy enforcement in SVG in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: High...

5.8AI score0.00233EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/06/30 10:37 p.m.27 views

CVE-2026-13793

Insufficient policy enforcement in SVG in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: High...

0.00233EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.5 views

PT-2026-54289

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.47 Description An inappropriate implementation in SVG allows a remote attacker to perform UI spoofing via a crafted HTML page. Recommendations Update Google Chrome to version 150.0.7871.47 or later...

9.8CVSS6AI score0.00413EPSS
Exploits0References447
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.8 views

PT-2026-54292

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.47 Description An inappropriate implementation in SVG allows a remote attacker to leak cross-origin data through the use of a crafted HTML page. Cross-origin data leakage occurs when a website accesse...

9.8CVSS6AI score0.00413EPSS
Exploits0References447
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-54070

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.47 Description Insufficient policy enforcement in SVG Scalable Vector Graphics allows a remote attacker to leak cross-origin data by using a crafted HTML page. Recommendations Update Google Chrome to...

9.6CVSS6AI score0.00413EPSS
Exploits0References450
OSV
OSV
added 2026/06/29 10:16 a.m.5 views

UBUNTU-CVE-2026-13601

A flaw was found in Yelp due to an overly permissive Content Security Policy CSP implementation provided by yelp-xsl. A malicious Flatpak application can open crafted help content through the OpenURI portal. By embedding an untrusted CSS stylesheet within a structured SVG document,...

7.1CVSS5.9AI score0.0012EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2026/06/29 10:3 a.m.5 views

ImageMagick: ImageMagick: Arbitrary code execution via SVG decoder command injection

A flaw was found in ImageMagick. This command injection vulnerability in the SVG Scalable Vector Graphics decoder allows a remote attacker to craft malicious SVG files. When these files are processed, the injected Magick Vector Graphics MVG commands can execute, potentially leading to arbitrary...

5.5CVSS6.5AI score0.00895EPSS
Exploits0References6
OSV
OSV
added 2026/06/25 6:43 p.m.4 views

GO-2026-5201 SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG (getDynamicIcon, unauthenticated) in github.com/siyuan-note/siyuan/kernel

SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG getDynamicIcon, unauthenticated in github.com/siyuan-note/siyuan/kernel...

8.6CVSS5.8AI score0.00469EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/06/24 7:25 a.m.10 views

CVE-2026-56379

A flaw was found in ImageMagick. This command injection vulnerability in the SVG Scalable Vector Graphics decoder allows a remote attacker to craft malicious SVG files. When these files are processed, the injected Magick Vector Graphics MVG commands can execute, potentially leading to arbitrary...

9.2CVSS6.6AI score0.00895EPSS
Exploits0References5
Rows per page
Query Builder