Lucene search
K

103 matches found

NVD
NVD
added 2026/07/01 1:17 p.m.7 views

CVE-2026-53907

MCO is vulnerable to Stored Cross‑Site Scripting XSS via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened. Because vendor...

5.4CVSS0.0014EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/01 11:58 a.m.9 views

EUVD-2026-40953

MCO is vulnerable to Stored Cross‑Site Scripting XSS via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened. Because vendor...

7.1CVSS5.8AI score0.00208EPSS
Exploits0References2
CVE
CVE
added 2026/07/01 11:58 a.m.28 views

CVE-2026-53907

MCO is vulnerable to a Stored Cross‑Site Scripting (XSS) flaw in the application logo upload feature. A user who can change the logo can upload a crafted SVG containing JavaScript that executes when the logo renders, enabling code execution in the origin context. The vulnerability is confirmed fo...

5.4CVSS5.8AI score0.0014EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.6 views

PT-2026-54833

Name of the Vulnerable Software and Affected Versions MCO version 25.3.3.1 Description The software is subject to Stored Cross-Site Scripting XSS, a flaw where malicious scripts are permanently stored on the target server. This occurs through the application logo upload functionality, allowing an...

5.4CVSS5.8AI score0.0014EPSS
Exploits0References7
EUVD
EUVD
added 2026/06/11 6:55 p.m.11 views

EUVD-2026-36303

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into eve...

8.1CVSS5.1AI score0.0031EPSS
Exploits0References3
OSV
OSV
added 2026/06/11 6:55 p.m.2 views

CVE-2026-46489 SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into eve...

8.1CVSS5.8AI score0.0031EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.14 views

PT-2026-48727

Name of the Vulnerable Software and Affected Versions SolidInvoice versions prior to 2.3.17 Description The company logo upload feature lacks validation for uploaded file types. An authenticated administrator can upload an SVG file containing base64-encoded JavaScript. This script is injected...

8.1CVSS4.9AI score0.0031EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.14 views

SolidInvoice 跨站脚本漏洞

SolidInvoice is an open-source invoice processing application developed by SolidInvoice. Versions of SolidInvoice prior to 2.3.17 contained a cross-site scripting vulnerability. This vulnerability stemmed from the company logo upload feature not verifying file types. As a result, authenticated...

8.1CVSS4.9AI score0.0031EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.10 views

CVE-2026-3892

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.4.107. This is due to insufficient file path validation in the become-dealer logo upload flow. The plugin allows any authenticated user to...

8.1CVSS5.6AI score0.00256EPSS
Exploits0References1
NVD
NVD
added 2026/05/14 7:16 a.m.30 views

CVE-2026-3892

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.4.107. This is due to insufficient file path validation in the become-dealer logo upload flow. The plugin allows any authenticated user to...

8.1CVSS0.00256EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.17 views

PT-2026-40884

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.4.107. This is due to insufficient file path validation in the become-dealer logo upload flow. The plugin allows any authenticated user to...

8.1CVSS5.9AI score0.00256EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/19 7:15 a.m.31 views

CVE-2026-6561 EyouCMS Index.php edit_adminlogo unrestricted upload

A vulnerability was detected in EyouCMS up to 1.7.1. This issue affects the function editadminlogo of the file application/admin/controller/Index.php. Performing a manipulation of the argument filename results in unrestricted upload. The attack is possible to be carried out remotely. The exploit ...

5.8CVSS0.00279EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/03/07 7:59 a.m.6 views

CVE-2026-27605

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files project logos without validating the file type or content. It trusts the extension provided by the user...

6.3CVSS5.7AI score0.00211EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/02/23 1:30 p.m.8 views

CVE-2026-27479

Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery SSRF vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the...

7.7CVSS5.4AI score0.00307EPSS
Exploits1References1
NVD
NVD
added 2026/02/21 9:15 a.m.17 views

CVE-2026-27479

Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery SSRF vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the...

7.7CVSS0.00307EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/02/21 8:15 a.m.24 views

CVE-2026-27479 Wallos: SSRF via Redirect Bypass in Logo/Icon URL Fetch

Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery SSRF vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the...

7.7CVSS0.00307EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/02/21 8:15 a.m.4 views

CVE-2026-27479 Wallos: SSRF via Redirect Bypass in Logo/Icon URL Fetch

Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery SSRF vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the...

7.7CVSS5.5AI score0.00307EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/02/21 12:0 a.m.8 views

PT-2026-21371

Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery SSRF vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the...

7.7CVSS5.6AI score0.00307EPSS
Exploits1References4
NVD
NVD
added 2026/02/18 11:16 p.m.10 views

CVE-2026-24745

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Althou...

7.5CVSS0.0022EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/02/18 8:59 p.m.5 views

CVE-2026-24743 InvoicePlane has a Stored Cross-Site Scripting (XSS) issue

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg file...

5.7CVSS5.7AI score0.0022EPSS
Exploits1References2
Rows per page
Query Builder