CVE-2025-13159

The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. This is due to the plugin allowing SVG file uploads via an unauthenticated AJAX endpoint floformsubmit without proper...

RLSA-2025:21037 Important: qt6-qtsvg security update

Scalable Vector Graphics SVG is an XML-based language for describing two-dimensional vector graphics. Qt provides classes for rendering and displaying SVG drawings in widgets and on other paint devices. Security Fixes: qtsvg: Use-after-free vulnerability in Qt SVG CVE-2025-10729 For more details...

EUVD-2025-198392

The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. This is due to the plugin allowing SVG file uploads via an unauthenticated AJAX endpoint floformsubmit without proper...

CVE-2025-13159 Flo Forms – Easy Drag & Drop Form Builder <= 1.0.43 - Unauthenticated Stored Cross-Site Scripting via SVG Upload

The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. This is due to the plugin allowing SVG file uploads via an unauthenticated AJAX endpoint floformsubmit without proper...

CVE-2025-13159 Flo Forms – Easy Drag & Drop Form Builder <= 1.0.43 - Unauthenticated Stored Cross-Site Scripting via SVG Upload

The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. This is due to the plugin allowing SVG file uploads via an unauthenticated AJAX endpoint floformsubmit without proper...

CVE-2025-64759 Homarr is Vulnerable to Stored Cross-Site Scripting (XSS) and Possible Privilege Escalation via Malicious SVG Upload

Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be abused to add an...

PT-2025-47516

Name of the Vulnerable Software and Affected Versions Homarr versions prior to 1.43.3 Description A stored cross-site scripting XSS issue exists in Homarr Dashboard. The issue allows the execution of arbitrary JavaScript in a user's browser with minimal user interaction. This is due to the...

CVE-2025-12457

CVE-2025-12457 concerns the WordPress plugin Enable SVG, WebP, and ICO Upload. The Wordfence vulnerability entry confirms a Stored Cross-Site Scripting (XSS) flaw via SVG file uploads in all versions up to 1.1.2, exploitable by an authenticated attacker with Author-level access or higher to injec...

CVE-2025-12457 Enable SVG, WebP, and ICO Upload <= 1.1.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Uploads

The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level...

CVE-2025-13069 Enable SVG, WebP, and ICO Upload <= 1.1.3 - Authenticated (Author+) Arbitrary File Upload via ICO Upload Bypass

The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.1.3. This is due to insufficient file type validation detecting ICO files, allowing double extension files with the appropriate magic bytes to bypass sanitizati...

PT-2025-47285

Name of the Vulnerable Software and Affected Versions Enable SVG, WebP, and ICO Upload plugin for WordPress versions up to and including 1.1.2 Description The Enable SVG, WebP, and ICO Upload plugin for WordPress is susceptible to arbitrary file upload due to insufficient file type validation whe...

WordPress plugin Enable SVG, WebP, and ICO Upload 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. WordPress is a blogging platform developed using the PHP language, which provides the ability to host personal blog sites on PHP and MySQL based...

Mozilla Firefox < 60.0

The version of Firefox installed on the remote macOS or Mac OS X host is prior to 60.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2018-11 advisory. - Mozilla developers and community members Christoph Diehl, Christian Holler, Jon Coppeard, Jason Kratzer, Nath...

Mozilla Firefox ESR < 52.8.1

The version of Firefox ESR installed on the remote Windows host is prior to 52.8.1. It is, therefore, affected by a vulnerability as referenced in the mfsa2018-14 advisory. - A heap buffer overflow can occur in the Skia library when rasterizing paths using a maliciously crafted SVG file with...

CVE-2025-63830

CKFinder 1.4.3 is vulnerable to Cross Site Scripting XSS in the File Upload function. An attacker can upload a crafted SVG containing active content...

CVE-2025-63830

CKFinder 1.4.3 is vulnerable to Cross Site Scripting XSS in the File Upload function. An attacker can upload a crafted SVG containing active content...

CVE-2025-63830

CKFinder 1.4.3 is vulnerable to Cross Site Scripting XSS in the File Upload function. An attacker can upload a crafted SVG containing active content...

CKFinder 安全漏洞

CKFinder is an intelligent WYSIWYG editor component with collaborative editing capabilities. A security vulnerability exists in CKFinder version 1.4.3, which stems from a cross-site scripting vulnerability in the file upload feature that could lead to the upload of malicious SVG files...

PT-2025-46989

Name of the Vulnerable Software and Affected Versions CKFinder version 1.4.3 Description CKFinder 1.4.3 is susceptible to a Cross Site Scripting XSS issue within the File Upload function. An attacker can exploit this by uploading a specially crafted SVG file containing active content. The...

CVE-2025-12880

The Progress Bar Blocks for Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-leve...