Lucene search
K

7 matches found

Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-55466 Snipe-IT: Stored XSS via inline-served attachment

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UploadFileRequest sanitizes SVG content only when PHP finfo reports image/svg+xml and UploadedFilesController serves attachments inline without using StorageHelper::allowSafeInline, allowing a low-privilege user to upload active...

6.2CVSS0.00351EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/06/08 10:54 a.m.47 views

CVE-2026-11569 Quay: quay: stored xss via filedrop svg upload

A flaw was found in Quay. The filedrop endpoint accepts any mime type without validation, allowing an authenticated user with repository write access to upload a malicious SVG file containing JavaScript. The file is stored and served inline through the CDN, enabling stored cross-site scripting wh...

5.4CVSS0.00138EPSS
Exploits0References2
Friends Of PHP
Friends Of PHP
added 2026/06/04 6:43 a.m.6 views

Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField

EasyAdmin's FileField and ImageField accept browser-executable file types by default FileField applies no MIME/extension restrictions; ImageField's default Image constraint accepts SVG. When the upload directory is configured inside the public web root — as shown in the documentation — EasyAdmin...

6.2AI score
Exploits0Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/20 7:57 p.m.11 views

CVE-2026-33741

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment and image entry...

6.8CVSS5.8AI score0.00211EPSS
Exploits0References1
NVD
NVD
added 2025/11/06 4:16 p.m.8 views

CVE-2025-63307

alexusmai laravel-file-manager 3.3.1 is vulnerable to Cross Site Scripting XSS. The application permits user-controlled upload, create, and rename of files to HTML and SVG types and serves those files inline without adequate content-type validation or output sanitization...

8.1CVSS0.00361EPSS
Exploits2References3
Vulnrichment
Vulnrichment
added 2025/11/06 12:0 a.m.4 views

CVE-2025-63307

alexusmai laravel-file-manager 3.3.1 is vulnerable to Cross Site Scripting XSS. The application permits user-controlled upload, create, and rename of files to HTML and SVG types and serves those files inline without adequate content-type validation or output sanitization...

6AI score0.00361EPSS
Exploits2References2
Positive Technologies
Positive Technologies
added 2025/11/06 12:0 a.m.10 views

PT-2025-45330

alexusmai laravel-file-manager 3.3.1 is vulnerable to Cross Site Scripting XSS. The application permits user-controlled upload, create, and rename of files to HTML and SVG types and serves those files inline without adequate content-type validation or output sanitization...

8.1CVSS6.4AI score0.00361EPSS
Exploits2References4
Rows per page
Query Builder