Note Mark has Stored XSS via Unrestricted Asset Upload

Summary A stored same-origin XSS vulnerability allows any authenticated user to upload an HTML, SVG, or XHTML file as a note asset and have it executed in a victim’s browser under the application’s origin. Because the application serves these files inline without a safe content type and without...

CVE-2026-32753

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of .png with content type of...

CVE-2026-33749

n8n is vulnerable to XSS in versions prior to 1.123.27, 2.13.3, and 2.14.1. An authenticated user who can create or modify workflows could craft a workflow that returns an HTML binary data object via /rest/binary-data without a filename and without Content-Disposition or Content-Security-Policy h...

CVE-2026-32753

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of .png with content type of...

PT-2026-26374

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of .png with content type of...

Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure

Details The application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as tags or event handlers like onload. The application does not sanitize SVG content before storing it. When the uploaded SVG file is...

CVE-2026-27616

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as tags or event handlers like onload. The application...

Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure

Details The application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as tags or event handlers like onload. The application does not sanitize SVG content before storing it. When the uploaded SVG file is...

EUVD-2026-5000

HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. The intended behavior was for only text/plain, application/pdf,...

GO-2025-4065 Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution in github.com/mattermost/mattermost-server

Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution in github.com/mattermost/mattermost-server...

EUVD-2025-25223

Malicious code in bioql PyPI...

GHSA-M4HF-FXCG-CP34 DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline

Uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks...

DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline

Uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks...

CVE-2025-43714

The ChatGPT system through 2025-03-30 performs inline rendering of SVG documents instead of, for example, rendering them as text inside a code block, which enables HTML injection within most modern graphical web browsers...

SUSE CVE-2010-1781

Double free vulnerability in WebKit in Apple iOS before 4.1 on the iPhone and iPod touch allows remote attackers to execute arbitrary code or cause a denial of service application crash via vectors related to the rendering of an inline element...

SUSE CVE-2010-1782

WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4; and webkitgtk before 1.2.6; allows remote attackers to execute arbitrary code or cause a denial of service memory corruption and application crash via vectors related to the rendering...

Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution

An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window...

CVE-2019-7296

typora through 0.9.64 has XSS, with resultant remote command execution, during inline rendering of a mathematical formula...

CVE-2019-7296

typora through 0.9.64 has XSS, with resultant remote command execution, during inline rendering of a mathematical formula...

PT-2010-3416 · Apple · Ios +1

Name of the Vulnerable Software and Affected Versions: Apple iOS versions prior to 4.1 Description: A double free issue in WebKit allows remote attackers to execute arbitrary code or cause a denial of service, specifically an application crash, through vectors related to the rendering of an inlin...