CLSA-2026-1771425977 ImageMagick: Fix of 2 CVEs

CVE-2025-68618: fix DOS when processing a specially crafted malicious SVG file - CVE-2025-69204: fix DOS due to buffer overflow during image processing of a specially crafted SVG image...

CLSA-2026-1771425162 ImageMagick: Fix of 2 CVEs

CVE-2025-68618: fix DOS when processing a specially crafted malicious SVG file - CVE-2025-69204: fix DOS due to buffer overflow during image processing of a specially crafted SVG image...

CLSA-2026-1771409779 Fix CVE(s): CVE-2025-68618, CVE-2025-69204

SECURITY UPDATE: Malicious SVG file resulted in a DoS attack - debian/patches/CVE-2025-68618.patch: fix DOS when processing a specially crafted malicious SVG file - CVE-2025-68618 SECURITY UPDATE: WriteSVGImage function, using an int variable to store numberattributes caused an integer overflow a...

InvoicePlane 跨站脚本漏洞

InvoicePlane is an open-source application developed by InvoicePlane. It provides a self-hosted open-source tool for managing your quotes, invoices, customers, and payments. Version 1.7.0 of InvoicePlane contains a cross-site scripting vulnerability. This vulnerability stems from the login logo...

CVE-2025-59903

Stored Cross-Site Scripting XSS vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts within SVG files as visual content, which are then stored on the server and executed in the context of any user accessing the compromis...

CVE-2025-59903 Stored Cross-Site Scripting (XSS) in Kubysoft

Stored Cross-Site Scripting XSS vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts within SVG files as visual content, which are then stored on the server and executed in the context of any user accessing the compromis...

CVE-2025-59903

CVE-2025-59903 documents a Stored XSS in Kubysoft due to SVG uploads not being sanitized. The payloads can be embedded as visual content in SVG files, which are stored server-side and executed in the context of any user who views the compromised resource. The NVD/CVE records confirm the vulnerabi...

CVE-2025-59903

Stored Cross-Site Scripting XSS vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts within SVG files as visual content, which are then stored on the server and executed in the context of any user accessing the compromis...

PT-2026-8326

Stored Cross-Site Scripting XSS vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts within SVG files as visual content, which are then stored on the server and executed in the context of any user accessing the compromis...

Kubysoft 跨站脚本漏洞

Kubysoft is an IT asset management software developed by the Spanish company Kubysoft. Kubysoft has a cross-site scripting vulnerability, which stems from improper handling of uploaded SVG images. This vulnerability could allow attackers to inject malicious scripts, enabling them to execute them ...

beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS)

beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting XSS when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without...

GHSA-CGMM-X5WW-Q5CR beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS)

beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting XSS when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without...

CVE-2026-26226

The CVE-2026-26226 issue affects beautiful-mermaid versions prior to 0.1.3, where user-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without proper escaping. This enables SVG attribute injection that can lead to cross-site scripting (XSS) ...

CVE-2026-26226 beautiful-mermaid < 0.1.3 SVG Attribute Injection

beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting XSS when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without...

CVE-2026-2276

CVE-2026-2276 describes a reflected XSS in Wix’s web app where uploading SVGs to the endpoint https://manage.wix.com/account/account-settings permits embedded JavaScript execution after storage. Authenticated users could upload crafted SVG content; when others view the image, script executes in t...

CVE-2026-2276 Reflected Cross-Site Scripting in the Wix web application

Reflected Cross-Site Scripting XSS vulnerability in the Wix web application, where the endpoint ' https://manage.wix.com/account/account-settings ', responsible for uploading SVG images, does not properly sanitize the content. An authenticated attacker could upload an SVG file containing embedded...

CVE-2025-70297

A stored cross-site scripting XSS vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser...

CVE-2025-70297

A stored cross-site scripting XSS vulnerability in the recipe asset upload and media serving component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary web script or HTML via an uploaded SVG file that is served as image/svg+xml and rendered by a victim s browser...

GHSA-9278-6HCJ-2P4J Kimai 2 vulnerable to persistent cross-site scripting in the timesheet descriptions

Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users...

Phraseanet vulnerable to stored cross-site scripting through crafted file names

Phraseanet 4.0.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through crafted file names during document uploads. Attackers can upload files with embedded SVG scripts that execute in the browser, potentially stealing cookies or...