CVE-2025-9978 Jeg Elementor Kit < 2.7.0 - Author+ Stored XSS

The Jeg Kit for Elementor WordPress plugin before 2.7.0 does not sanitize SVG file contents when uploaded via xmlrpc.php, leading to a cross site scripting vulnerability...

PT-2025-43583

Name of the Vulnerable Software and Affected Versions Jeg Kit for Elementor WordPress plugin versions prior to 2.7.0 Description The Jeg Kit for Elementor WordPress plugin does not properly sanitize SVG file contents when uploaded through the xmlrpc.php file, which can result in a cross-site...

FreeBSD : Mozilla -- integer overflow (c7383de4-ab7a-11f0-b961-b42e991fc52e)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the c7383de4-ab7a-11f0-b961-b42e991fc52e advisory. [email protected] reports: Integer overflow in the SVG component Tenable has extracted the preceding...

CVE-2025-34281

ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting XSS vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if t...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the mediamanager component when a specially crafted SVG file containing JavaScript code is uploaded and subsequently previewed by an administrator. Details Cross-site scripting or XSS is a code vulnerability...

CVE-2025-61417

Cross-Site Scripting XSS vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/mediamanager component. Attackers can upload a malicious SVG file containing JavaScript code. When an administrator previews the file, the code executes in their browser context, allowing the attacker to...

TastyIgniter 安全漏洞

TastyIgniter is an online ordering software from TastyIgniter open source. A security vulnerability exists in TastyIgniter version 3.7.7, which stems from the /admin/mediamanager component not properly handling JavaScript code in SVG files, which could lead to a cross-site scripting attack...

EUVD-2025-34907

ThingsBoard versions 4.2.1 contain a stored cross-site scripting XSS vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient...

CVE-2025-34281

ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting XSS vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if t...

CVE-2025-34282

ThingsBoard versions 4.2.1 contain a server-side request forgery SSRF vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may...

CVE-2025-62418

Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges e.g. admin to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the...

CVE-2025-34281 Stored Cross-Site Scripting (XSS) in ThingsBoard

ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting XSS vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if t...

WordPress The Plus Addons for Elementor plugin cross-site scripting vulnerability

WordPress The Plus Addons for Elementor plugin is a plugin designed specifically for the Elementor page builder, offering over 120 custom widgets and extensions and more than 1000 pre-designed templates. A cross-site scripting vulnerability exists in WordPress The Plus Addons for Elementor plugin...

EUVD-2025-34813

An arbitrary file upload vulnerability in SageMath, Inc CoCalc before commit 0d2ff58 allows attackers to execute arbitrary code via uploading a crafted SVG file...

GHSA-FG89-G389-P346 bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)

Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges e.g. admin to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. Details The underlying probl...

CVE-2025-62418 bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (SVG)

Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges e.g. admin to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the...

CVE-2025-61514

An arbitrary file upload vulnerability in SageMath, Inc CoCalc before commit 0d2ff58 allows attackers to execute arbitrary code via uploading a crafted SVG file...

CVE-2025-61514

CVE-2025-61514 affects SageMath, Inc. CoCalc prior to the fix commit 0d2ff58, where an attacker can upload a crafted SVG file to achieve arbitrary code execution. The issue is triggered by an arbitrary file upload vulnerability in the CoCalc front-end/back-end stack, enabling code execution on th...

CVE-2025-59428 EspoCRM allows arbitrary user creation via stored SVG injection and CSRF

EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit...

CVE-2025-59428 EspoCRM allows arbitrary user creation via stored SVG injection and CSRF

EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit...