CVE-2025-59428 EspoCRM allows arbitrary user creation via stored SVG injection and CSRF

EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit...

[SECURITY] Fedora 42 Update: qt5-qtsvg-5.15.17-2.fc42

Scalable Vector Graphics SVG is an XML-based language for describing two-dimensional vector graphics. Qt provides classes for rendering and displaying SVG drawings in widgets and on other paint devices...

ROS-20251014-09

A vulnerability in the SVG component of Mozilla Firefox, Firefox ESR and Thunderbird email client is related to an integer overflow. with integer overflow. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code. remotely to execute arbitrary code...

PT-2025-41935

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 9.1.9 Description EspoCRM is a customer relationship management application. A flaw allows the creation of arbitrary user accounts, including those with administrative privileges. This is achieved through a combinatio...

CVE-2025-9698 The Plus Addons for Elementor < 6.3.16 - Author+ Stored XSS

The Plus Addons for Elementor WordPress plugin before 6.3.16 does not sanitize SVG file contents, which could allow users with minimum role access as Author to perform Stored Cross-Site Scripting attacks...

CVE-2025-9698

CVE-2025-9698 refers to The Plus Addons for Elementor WordPress plugin. The vulnerability is a Stored Cross-Site Scripting (XSS) caused by unsanitized SVG file contents, exploitable by an Author+ (minimum Author) with SVG content uploaded or processed. Affected versions are before 6.3.16; remedia...

CVE-2025-11655 Total.js Flow SVG File unrestricted upload

A security flaw has been discovered in Total.js Flow up to 673ef9144dd25d4f4fd4fdfda5af27f230198924. The impacted element is an unknown function of the component SVG File Handler. Performing manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit has been...

CVE-2025-11655

Total.js Flow (up to 673ef9144dd25d4f4fd4fdfda5af27f230198924) is affected by a flaw in the SVG File Handler component where manipulation enables unrestricted file upload. The remaining details point to a remote attack path with no version details available in the initial description, but Red Hat...

CVE-2025-60880

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in...

Bagisto is vulnerable to XSS through Admin Panel's product creation path

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in...

CVE-2025-35060

Newforma Info Exchange NIX provides a 'Send a File Transfer' feature that allows a remote, authenticated attacker to upload SVG files that contain JavaScript or other content that may be executed or rendered by a web browser using a mobile user agent...

CVE-2025-60880

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in...

EUVD-2025-33567

Newforma Info Exchange NIX provides a 'Send a File Transfer' feature that allows a remote, authenticated attacker to upload SVG files that contain JavaScript or other content that may be executed or rendered by a web browser using a mobile user agent...

CVE-2025-35060

Newforma Info Exchange NIX provides a 'Send a File Transfer' feature that allows a remote, authenticated attacker to upload SVG files that contain JavaScript or other content that may be executed or rendered by a web browser using a mobile user agent...

PT-2025-41476

Name of the Vulnerable Software and Affected Versions Newforma Info Exchange NIX affected versions not specified Description Newforma Info Exchange NIX includes a 'Send a File Transfer' feature that allows a remote, authenticated attacker to upload SVG files. These SVG files can contain JavaScrip...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via SVG files in diagram type products. An attacker can execute arbitrary web scripts or HTML in the context of a user's browser by uploading a specially crafted SVG file. Details Cross-site scripting or XSS is ...

Cross-site Scripting (XSS)

Overview webreinvent/vaahcms is a laravel based open-source web application development platform shipped with headless content management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the upload function in the MediaController.php file. An attacker can...

CVE-2025-43829

Stored cross-site scripting XSS vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 18 through update 92 allows remote attackers to inject arbitrary web script or...

CVE-2025-43829

Stored cross-site scripting XSS vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 18 through update 92 allows remote attackers to inject arbitrary web script or...

CVE-2025-43829

CVE-2025-43829 is a stored XSS vulnerability in Liferay Commerce diagram logic. A crafted SVG file can inject script/HTML, affecting Liferay Portal 7.4.3.18–7.4.3.111 and Liferay DXP 2023.Q3.1–2023.Q4.5 (including 2023.Q3.8 and 7.4 update 18–92). The issue originates from the diagram web componen...