CVE-2026-28436

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 an...

CVE-2026-28436 Frappe: Stored XSS in avatar_macro.html

Frappe is a full-stack web application framework. Prior to versions 16.11.0 and 15.102.0, an attacker can set a crafted image URL that results in XSS when the avatar is displayed, and it can be triggered for other users via website page comments. This issue has been patched in versions 16.11.0 an...

CVE-2025-65267

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting XSS. Successful...

PT-2025-48816

Name of the Vulnerable Software and Affected Versions ERPNext version 15.83.2 Frappe Framework version 15.86.0 Description Improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the...

EUVD-2021-28673

Malicious code in bioql PyPI...

CVE-2024-29891 ZITADEL Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass

ZITADEL users can upload their own avatar image and various image types are allowed. Due to a missing check, an attacker could upload HTML and pretend it is an image to gain access to the victim's account in certain scenarios. A possible victim would need to directly open the supposed image in th...

CVE-2023-47115

CVE-2023-47115 : Label Studio before version 1.9.2 contains an XSS vulnerability via avatar upload. The vulnerability stems from the avatar handling in label_studio/users/functions.py, which only validates that the uploaded file is an image by checking dimensions; it does not securely validate th...

CVE-2023-47115 Label Studio XSS Vulnerability on Avatar Upload

Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting XSS vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary...

CVE-2023-46238 XSS with User Avatar image in ZITADEL

ZITADEL is an identity infrastructure management system. ZITADEL users can upload their own avatar image using various image types including SVG. SVG can include scripts, such as javascript, which can be executed during rendering. Due to a missing security header, an attacker could inject code to...

CVE-2021-34257

Multiple Remote Code Execution RCE vulnerabilities exist in WPanel 4 4.3.1 and below via a malicious PHP file upload to 1 Dashboard's Avatar image, 2 Posts Folder image, 3 Pages Folder image and 4 Gallery Folder image...

CVE-2021-3539

EspoCRM 6.1.6 and prior suffers from a persistent type II cross-site scripting XSS vulnerability in processing user-supplied avatar images. This issue was fixed in version 6.1.7 of the product...

Atom CMS Shell Upload / SQL Injection / Bypass Vulnerabilities

Atom CMS suffers from remote shell upload and remote SQL injection vulnerabilities. Exploit Title : Atom CMS SQL Injection and file upload vulnerability Author : Jagriti Sahu Vendor : https://github.com/thedigicraft/Atom.CMS Date : 07/07/2014 Discovered at : IndiShell Lab Love to : Surbhi, Mradul...

Atom CMS Shell Upload / SQL Injection

Exploit Title : Atom CMS SQL Injection and file upload vulnerability Author : Jagriti Sahu Vendor : https://github.com/thedigicraft/Atom.CMS Date : 07/07/2014 Discovered at : IndiShell Lab Love to : Surbhi, Mradula and Harry //////////////////////// /// Overview: //////////////////////// Atom CMS...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in Dokeos 1.8.4 allow remote attackers to inject arbitrary web script or HTML via the 1 username parameter to inscription.php, 2 courseCode parameter to main/calendar/myagenda.php, 3 category parameter to main/admin/coursecategory.php, 4 message...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in RunCMS before 1.6.1 allow remote attackers to inject arbitrary web script or HTML via 1 the subject parameter to modules/news/submit.php; 2 the PATHINFO to modules/news/index.php, possibly related to the XoopsPageNav class; or 3 an avatar image...

CVE-2007-6545

Multiple cross-site scripting XSS vulnerabilities in RunCMS before 1.6.1 allow remote attackers to inject arbitrary web script or HTML via 1 the subject parameter to modules/news/submit.php; 2 the PATHINFO to modules/news/index.php, possibly related to the XoopsPageNav class; or 3 an avatar image...