PT-2025-48541

Name of the Vulnerable Software and Affected Versions Todoist version 8896 Description Todoist version 8896 has a Cross Site Scripting XSS issue in the /api/v1/uploads API endpoint. Uploaded SVG files lack sanitization, allowing embedded JavaScript to execute when a user opens the attachment from...

ALSA-2025:22394 Moderate: qt6-qtsvg security update

Scalable Vector Graphics SVG is an XML-based language for describing two-dimensional vector graphics. Qt provides classes for rendering and displaying SVG drawings in widgets and on other paint devices. Security Fixes: qtsvg: Uncontrolled recursion in Qt SVG module CVE-2025-10728 For more details...

Todoist 安全漏洞

Todoist is a task management and to-do list application from Todoist, Inc. A security vulnerability exists in Todoist version v8896, which stems from a lack of cleanup of uploaded SVG files in /api/v1/uploads, which could lead to a cross-site scripting attack...

PT-2025-48574

Name of the Vulnerable Software and Affected Versions FileRise versions prior to 2.2.3 Description FileRise is a self-hosted web-based file manager. A stored cross-site scripting XSS issue exists due to improper handling of uploaded SVG files. The application accepts user-supplied SVG uploads...

yungifez Skuul School Management System vulnerable to XSS via SVG

A weakness has been identified in yungifez Skuul School Management System up to 2.6.5. This vulnerability affects unknown code of the file /dashboard/schools/1/edit of the component SVG File Handler. This manipulation causes cross site scripting. The attack is possible to be carried out remotely...

Cross-site Scripting (XSS)

Overview yungifez/skuul is an A multi school management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the application, which uploaded SVG files directly without sanitization or enforcing content-type restrictions. An attacker can inject and execute...

EUVD-2025-199832

ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting XSS vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if t...

ThingsBoard allows an authenticated user to upload malicious SVG images

ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting XSS vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if t...

CVE-2025-13692

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

WordPress Houzez plugin <= 4.1.6 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload vulnerability

Unauthenticated Stored Cross-Site Scripting via SVG File Upload vulnerability discovered by Alex Thomas - Wordfence in WordPress Theme Houzez versions = 4.1.6...

PT-2025-48269

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

CVE-2025-65676

Stored Cross site scripting XSS vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images...

CVE-2025-65675

Stored Cross site scripting XSS vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures...

CVE-2025-41087

Cross-Site Scripting XSS vulnerability stored in tha Taclia web application, where the uploaded SVG images are not properly sanitized. This allows to the attackers to embed malicious scripts in SVG files such as image profiles, which are then stored on the server and executed in the context of an...

CVE-2025-65676

CVE-2025-65676 is a stored XSS defect in Classroomio LMS 0.1.13, where authenticated attackers can upload crafted SVG cover images that execute code in the context of the application. Multiple adapters (NVD, Red Hat, EUVD, OSV, CIRCL, PT-Security, CNNVD, CVE lists, PacketStorm, etc.) consistently...

ClassroomIO.com 安全漏洞

ClassroomIO.com is an educational platform open-sourced by ClassroomIO. A security vulnerability exists in ClassroomIO.com version 0.1.13, which originates in stored cross-site scripting and could allow an authenticated attacker to execute arbitrary code via a specially crafted SVG profile pictur...

CVE-2025-41087

Cross-Site Scripting XSS vulnerability stored in tha Taclia web application, where the uploaded SVG images are not properly sanitized. This allows to the attackers to embed malicious scripts in SVG files such as image profiles, which are then stored on the server and executed in the context of an...

CVE-2025-41087 Cross-Site Scripting (XSS) stored in Taclia's web application

Cross-Site Scripting XSS vulnerability stored in tha Taclia web application, where the uploaded SVG images are not properly sanitized. This allows to the attackers to embed malicious scripts in SVG files such as image profiles, which are then stored on the server and executed in the context of an...

CVE-2025-41087 Cross-Site Scripting (XSS) stored in Taclia's web application

Cross-Site Scripting XSS vulnerability stored in tha Taclia web application, where the uploaded SVG images are not properly sanitized. This allows to the attackers to embed malicious scripts in SVG files such as image profiles, which are then stored on the server and executed in the context of an...

Taclia Web Application 跨站脚本漏洞

Taclia Web Application is a billing and business management platform from Taclia Spain. A cross-site scripting vulnerability exists in the Taclia web application that stems from an uploaded SVG image that is not properly cleaned, which could lead to a stored cross-site scripting attack...