qt6-qtdeclarative security update

An update is available for qt6-qtdeclarative. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Qt6 - QtDeclarative component. Security Fixes: qt: Qt SVG: Arbitra...

WordPress Mapplic <= 6.1 / Mapplic Lite <= 1.0 - Authenticated Stored XSS via SVG File Upload

The Mapplic and Mapplic Lite plugins for WordPress are vulnerable to Stored Cross-Site Scripting via arbitrary URL injection in versions up to and including 6.1 and 1.0 respectively. Authenticated users with author-level permissions can inject arbitrary remote URLs for SVG map files. When a user...

DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization

A flaw was found in DOMPurify, a DOM-only cross-site scripting sanitizer. A remote attacker could exploit an inconsistency in how forbidden tags and attributes are handled when function-based tag additions are used. This allows malicious HTML, MathML, or SVG elements to bypass sanitization and...

CVE-2026-45729

A flaw was found in Thor Vector Graphics ThorVG, a vector graphics engine. A remote attacker could exploit this vulnerability by providing untrusted SVG Scalable Vector Graphics data. This could lead to a denial of service DoS, causing the application to crash and become unavailable. The...

CVE-2026-45729

Thor Vector Graphics ThorVG is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run allows any caller that passes untrusted SVG data to Picture::load to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5...

CVE-2026-45729 ThorVG: Null pointer dereference in SVG loader causes crash via 6-byte malformed input

Thor Vector Graphics ThorVG is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run allows any caller that passes untrusted SVG data to Picture::load to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5...

CVE-2026-45729

Thor Vector Graphics ThorVG is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run allows any caller that passes untrusted SVG data to Picture::load to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5...

CVE-2026-45729

Thor Vector Graphics (ThorVG) prior to 1.0.5 is affected by a NULL pointer dereference in SvgLoader::run() when untrusted SVG data is passed to Picture::load(), potentially crashing the process with a small payload. The issue, ratedCVSS 3.1: 4.3 (Medium) with network attack vector, requires user ...

CVE-2026-45729

Thor Vector Graphics ThorVG is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run allows any caller that passes untrusted SVG data to Picture::load to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5...

CVE-2026-48208

An improper neutralization of active SVG content in OTRS or OTRS Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent o...

CVE-2026-48208

An improper neutralization of active SVG content in OTRS or OTRS Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent o...

CVE-2026-48208 Denial-of-Service via SVG Rendering in Ticket

An improper neutralization of active SVG content in OTRS or OTRS Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent o...

PT-2026-45537

Thor Vector Graphics ThorVG is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run allows any caller that passes untrusted SVG data to Picture::load to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5...

OTRS security vulnerabilities

OTRS is a service management solution developed by the German company OTRS. Versions 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, and 2026.X up to version 2026.4.X of OTRS contained security vulnerabilities. These vulnerabilities were due to improper handling of SVG content during the rendering of ticke...

ThorVG code issue vulnerabilities

ThorVG is a high-performance, lightweight vector graphics engine developed under open source. Versions of ThorVG prior to 1.0.5 contained code vulnerabilities. These vulnerabilities stemmed from null pointer dereferencing in the SvgLoader::run function, which could cause the process to crash for...

SUSE CVE-2026-10007

Use after free in SVG in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

Chromium: CVE-2026-10007 Use after free in SVG

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

EUVD-2026-33149

Use after free in SVG in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

CVE-2026-10007

An use after free flaw was found in the SVG component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=513754619...

Linux Distros Unpatched Vulnerability : CVE-2026-47760

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in...