3 matches found
CVE-2026-25133
CVE-2026-25133 affects October CMS prior to 3.7.14 and 4.1.10, where a stored XSS can be injected via crafted SVGs uploaded through the Media Manager due to a bypass in the SVG sanitization regex. The vulnerability requires authenticated backend access with media upload permissions and triggers w...
Arbitrary Code Injection
Overview @cocalc/hub is a CoCalc: Backend webserver component Affected versions of this package are vulnerable to Arbitrary Code Injection via uploading a crafted SVG file. An attacker can execute arbitrary code by uploading a specially crafted SVG file. Remediation A fix was pushed into the mast...
PT-2023-25071 · Chamilo · Chamilo
Name of the Vulnerable Software and Affected Versions: Chamilo versions 1.11. up to 1.11.18 Description: The issue allows attackers to execute arbitrary code via uploading a crafted SVG file, exploiting an arbitrary file upload vulnerability in the /fileUpload.lib.php component. Recommendations:...