Lucene search
+L

454 matches found

NVD
NVD
added 5 days ago8 views

CVE-2026-49971

Laravel-Mediable before 7.0.0 contains a stored cross-site scripting vulnerability that allows authenticated or anonymous users to execute arbitrary JavaScript by uploading unsanitized SVG files containing embedded scripts in onload event handlers, script tags, or foreignObject elements. Attacker...

6.1CVSS0.00203EPSS
Exploits0References3
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-49971 Laravel-Mediable < 7.0.0 Stored XSS via SVG File Upload

Laravel-Mediable before 7.0.0 contains a stored cross-site scripting vulnerability that allows authenticated or anonymous users to execute arbitrary JavaScript by uploading unsanitized SVG files containing embedded scripts in onload event handlers, script tags, or foreignObject elements. Attacker...

6.1CVSS0.00203EPSS
Exploits0References3
NVD
NVD
added 2026/06/23 1:16 p.m.20 views

CVE-2026-56701

Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexmlloadstring without disabling external entity loading, enabling attackers to inject XXE payloads...

7.1CVSS0.00233EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/23 12:13 p.m.7 views

CVE-2026-56701

Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexmlloadstring without disabling external entity loading, enabling attackers to inject XXE payloads...

7.1CVSS6AI score0.00233EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/23 12:13 p.m.11 views

EUVD-2026-38442

Grav before 2.0.0-beta.2 contains an XML external entity injection vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexmlloadstring without disabling external entity loading, enabling attackers to inject XXE payloads...

7.1CVSS6AI score0.00233EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/08 2:1 p.m.14 views

EUVD-2026-35071

QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded throu...

4.8CVSS5.5AI score0.0023EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.21 views

PT-2026-47296

QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded throu...

4.8CVSS5.5AI score0.0023EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:42 p.m.11 views

CVE-2025-1794

The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...

5.4CVSS5.7AI score0.00173EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:12 p.m.14 views

CVE-2026-39970

TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading ...

8.5CVSS5.8AI score0.00276EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/04 7:35 p.m.8 views

Cross-site Scripting (XSS)

Overview shopware/platform is a Shopware e-commerce core. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the SVG file upload process. An attacker can execute arbitrary JavaScript in the context of the application by uploading a malicious SVG file containing...

6.9CVSS5.9AI score0.00039EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/28 8:13 p.m.14 views

CVE-2026-46360

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization. Authenticated users with FAQEDIT permission can upload malicious SVG files with deeply...

5.4CVSS5.9AI score0.00153EPSS
Exploits0References1
NVD
NVD
added 2026/05/22 7:17 p.m.19 views

CVE-2026-39970

TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading ...

8.5CVSS0.00276EPSS
Exploits0References2
OSV
OSV
added 2026/05/22 5:55 p.m.2 views

CVE-2026-39970 TypeBot: Stored Cross-Site Scripting (XSS) via SVG File Upload On Profile Picture Form

TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading ...

8.5CVSS6.2AI score0.00276EPSS
Exploits0References4
NVD
NVD
added 2026/05/16 4:16 p.m.37 views

CVE-2021-47955

CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload functionality. Attackers can upload SVG files containing embedded script tags to the browse.php endpoint, which...

5.4CVSS0.00172EPSS
Exploits0References3
NVD
NVD
added 2026/05/16 4:16 p.m.35 views

CVE-2020-37238

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when othe...

6.4CVSS0.00243EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/16 3:26 p.m.65 views

CVE-2021-47955 CouchCMS 2.2.1 Cross-Site Scripting via SVG File Upload

CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload functionality. Attackers can upload SVG files containing embedded script tags to the browse.php endpoint, which...

5.4CVSS0.00172EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/16 3:25 p.m.10 views

EUVD-2020-31240

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when othe...

6.4CVSS5.6AI score0.00243EPSS
Exploits0References4
CVE
CVE
added 2026/05/16 3:25 p.m.19 views

CVE-2020-37238

CVE-2020-37238 affects CMS Made Simple 2.2.15. The vulnerability is a stored cross-site scripting (XSS) flaw in the file manager: authenticated Content Manager users can upload SVG files containing embedded JavaScript, which executes when other authenticated users view the uploaded file, enabling...

6.4CVSS5.6AI score0.00243EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/16 12:0 a.m.12 views

CMS Made Simple 跨站脚本漏洞

CMS Made Simple CMSMS is an open-source content management system developed by the Cmsms team. This system supports role-based permission management systems, wizard-based installation and update mechanisms, and intelligent caching features. Version 2.2.15 of CMS Made Simple contains a cross-site...

6.4CVSS5.6AI score0.00243EPSS
Exploits0References1
NVD
NVD
added 2026/05/15 7:16 p.m.23 views

CVE-2021-47958

CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal service...

5.3CVSS0.00238EPSS
Exploits0References3
Rows per page
Query Builder