5 matches found
CVE-2026-22254
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would...
CVE-2026-22254 Winter Affected by Stored Cross-Site Scripting (XSS) in Asset Manager
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would...
CVE-2025-63317
Todoist v8896 is vulnerable to Cross Site Scripting XSS in /api/v1/uploads. Uploaded SVG files have no sanitization applied, so embedded JavaScript executes when a user opens the attachment from a task/comment...
CVE-2025-63317
Todoist v8896 is affected by an XSS vulnerability in the /api/v1/uploads endpoint. Uploaded SVG files are not sanitized, allowing embedded JavaScript to execute when a user opens the attachment from a task or comment. The Red Hat and EU/NVD entries corroborate Todoist v8896 as vulnerable to SVG-b...
EUVD-2025-198629
Cross-Site Scripting XSS vulnerability stored in tha Taclia web application, where the uploaded SVG images are not properly sanitized. This allows to the attackers to embed malicious scripts in SVG files such as image profiles, which are then stored on the server and executed in the context of an...