14 matches found
CVE-2026-4983
Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an extension with a maliciou...
CVE-2026-4983
CVE-2026-4983 affects the Open VSX Registry where SVG icons uploaded as extensions are not sanitized before storage and are served as image/svg+xml without security headers. This enables stored cross-site scripting (XSS) when users navigate to the icon URL. The impact differs by deployment: on lo...
CVE-2026-6262 Betheme <= 28.4 - Authenticated (Contributor+) Arbitrary File Deletion via 'mfn-icon-upload'
The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the uploadicons function workflow using a user-controlled upload path mfn-icon-upload in a filesystem move operation without constraining it to the uploads directory. Th...
CVE-2026-6262
The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the uploadicons function workflow using a user-controlled upload path mfn-icon-upload in a filesystem move operation without constraining it to the uploads directory. Th...
CVE-2026-6262
CVE-2026-6262 affects the Betheme theme for WordPress. The vulnerability arises in the upload_icons() workflow which uses a user-controlled path (mfn-icon-upload) in a filesystem move, not restricting to the uploads directory, enabling arbitrary file deletion via path traversal. Affected: Betheme...
BIT-AUTHENTIK-2024-11623 Stored XSS in authentik
Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. This action could only be performed by an authenticated admin user. The issue was fixed in 2024.10.4 release...
CVE-2026-27479 Wallos: SSRF via Redirect Bypass in Logo/Icon URL Fetch
Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery SSRF vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the...
EUVD-2019-5466
Malware in sbrugna...
EUVD-2024-16812
Malicious code in bioql PyPI...
CVE-2025-46335 Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload
Mobile Security Framework MobSF is a security research platform for mobile applications in Android, iOS and Windows Mobile. A Stored Cross-Site Scripting XSS vulnerability has been identified in MobSF versions up to and including 4.3.2. The vulnerability arises from improper sanitization of...
Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload
Vulnerable MobSF Versions: .svg This file becomes publicly accessible via the web interface at: http://127.0.0.1:8081/download/filename.svg If the SVG contains embedded JavaScript e.g., an XSS payload, accessing this URL via a browser leads to the execution of the script in the context of the Mob...
Nextcloud 代码问题漏洞
Nextcloud is an open source, self-hosted file synchronization and sharing communication application platform from Nextcloud, a German company. A code issue vulnerability exists in Nextcloud server that stems from the ability to control file names when uploading a website icon as an administrator ...
CVE-2019-9605
PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Reflected Cross-site Scripting XSS via the err value in a .ico picture upload...
File Upload Vulnerability at Kirin Fortress Application Publishing Feature
Kirin Fortress is the open source operations and maintenance fortress. A file upload vulnerability exists at the application icon upload in the application publishing feature of KyLin Fortress. This allows attackers to upload a webshell and gain server privileges...