CVE-2025-52885

Poppler ia a library for rendering PDF files, and examining or modifying their structure. A use-after-free write vulnerability has been detected in versions Poppler prior to 25.10.0 within the StructTreeRoot class. The issue arises from the use of raw pointers to elements of a std::vector, which...

CVE-2025-52885 GHSL-2025-042: Poppler has Use-After-Free

Poppler ia a library for rendering PDF files, and examining or modifying their structure. A use-after-free write vulnerability has been detected in versions Poppler prior to 25.10.0 within the StructTreeRoot class. The issue arises from the use of raw pointers to elements of a std::vector, which...

Bagisto is vulnerable to XSS through Admin Panel's product creation path

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in...

CVE-2025-35060

Newforma Info Exchange NIX provides a 'Send a File Transfer' feature that allows a remote, authenticated attacker to upload SVG files that contain JavaScript or other content that may be executed or rendered by a web browser using a mobile user agent...

CVE-2025-60880

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in...

PT-2025-41613

Name of the Vulnerable Software and Affected Versions Poppler versions prior to 25.10.0 Description Poppler is a library used for rendering PDF files and modifying their structure. A use-after-free write issue exists due to the use of raw pointers to elements within a std::vector in the...

PT-2025-41590

Name of the Vulnerable Software and Affected Versions Bagisto version 2.3.6 Description An authenticated stored Cross-Site Scripting XSS issue exists in the admin panel's product creation functionality. An attacker can upload a crafted SVG file containing malicious JavaScript code. This allows...

EUVD-2025-33567

Newforma Info Exchange NIX provides a 'Send a File Transfer' feature that allows a remote, authenticated attacker to upload SVG files that contain JavaScript or other content that may be executed or rendered by a web browser using a mobile user agent...

CVE-2025-35060

Newforma Info Exchange NIX provides a 'Send a File Transfer' feature that allows a remote, authenticated attacker to upload SVG files that contain JavaScript or other content that may be executed or rendered by a web browser using a mobile user agent...

CVE-2025-35060

Newforma Info Exchange NIX provides a 'Send a File Transfer' feature that allows a remote, authenticated attacker to upload SVG files that contain JavaScript or other content that may be executed or rendered by a web browser using a mobile user agent...

PT-2025-41476

Name of the Vulnerable Software and Affected Versions Newforma Info Exchange NIX affected versions not specified Description Newforma Info Exchange NIX includes a 'Send a File Transfer' feature that allows a remote, authenticated attacker to upload SVG files. These SVG files can contain JavaScrip...

AlmaLinux 10 : glibc (ALSA-2025:11066)

The remote AlmaLinux 10 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2025:11066 advisory. glibc: Vector register overwrite bug in glibc CVE-2025-5702 Tenable has extracted the preceding description block directly from the AlmaLinux security advisory...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via SVG files in diagram type products. An attacker can execute arbitrary web scripts or HTML in the context of a user's browser by uploading a specially crafted SVG file. Details Cross-site scripting or XSS is ...

Liferay Portal Commerce Shop is vulnerable to Stored XSS through SVG file

There is a Stored Cross-Site Scripting XSS vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 18 through update 92. This vulnerability allows remote attackers to...

Cross-site Scripting (XSS)

Overview webreinvent/vaahcms is a laravel based open-source web application development platform shipped with headless content management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the upload function in the MediaController.php file. An attacker can...

CVE-2025-43829

Stored cross-site scripting XSS vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 18 through update 92 allows remote attackers to inject arbitrary web script or...

CVE-2025-43829

CVE-2025-43829 is a stored XSS vulnerability in Liferay Commerce diagram logic. A crafted SVG file can inject script/HTML, affecting Liferay Portal 7.4.3.18–7.4.3.111 and Liferay DXP 2023.Q3.1–2023.Q4.5 (including 2023.Q3.8 and 7.4 update 18–92). The issue originates from the diagram web componen...

CVE-2025-43829

Stored cross-site scripting XSS vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 18 through update 92 allows remote attackers to inject arbitrary web script or...

CVE-2025-61999

OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view affected pages. Successful exploitation allows the administrative user to perfo...

PT-2025-41264

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.18 through 7.4.3.111 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay Portal version 7.4 update 18 through update 92 Description A stored cross-site scripti...