CVE-2026-39970 TypeBot: Stored Cross-Site Scripting (XSS) via SVG File Upload On Profile Picture Form

TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading ...

CVE-2026-39970 TypeBot: Stored Cross-Site Scripting (XSS) via SVG File Upload On Profile Picture Form

TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading ...

CVE-2026-39970

The CVE covers TypeBot (chatbot builder) ≤ version 3.15.2, where the profile picture upload form fails to sanitize SVG/XML uploads and directly renders them. This enables stored XSS via crafted SVGs containing JavaScript, with payload stored on app.typebot.io and accessible via a permanent link, ...

CVE-2025-51414

In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page...

CVE-2025-51414

In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page...

CVE-2025-51414

Phpgurukul Online Course Registration v3.1 is affected by an arbitrary file upload vulnerability in the profile picture upload at /my-profile.php. The CVE details indicate a high-severity issue (CVSS 3.1: 8.8) with network access and low attacker/authentication requirements, enabling total impact...

CVE-2025-51414

In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page...

CVE-2026-5472

CVE-2026-5472 affects ProjectsAndPrograms School Management System (up to build 6b6fae5426044f89c08d0dd101c7fa71f9042a59). The vulnerability lies in the Profile Picture Handler, specifically an unknown function in /admin_panel/settings.php that manipulates the File argument to cause unrestricted ...

CVE-2025-70151

code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code execution via unrestricted file upload. The endpoints updateprofilepicture.php and uploadpicture.php store uploaded files in a web-accessible uploads/ directory using the original, user-supplied...

CVE-2025-70151

code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code execution via unrestricted file upload. The endpoints updateprofilepicture.php and uploadpicture.php store uploaded files in a web-accessible uploads/ directory using the original, user-supplied...

CVE-2026-1423

A vulnerability was determined in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /adminpic.php. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been publicly disclosed...

CVE-2026-1423

A vulnerability was determined in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /adminpic.php. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been publicly disclosed...

CVE-2026-1423 code-projects Online Examination System admin_pic.php unrestricted upload

A vulnerability was determined in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /adminpic.php. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been publicly disclosed...

CVE-2026-1423 code-projects Online Examination System admin_pic.php unrestricted upload

A vulnerability was determined in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /adminpic.php. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been publicly disclosed...

CVE-2023-4536

The My Account Page Editor WordPress plugin before 1.3.2 does not validate the profile picture to be uploaded, allowing any authenticated users, such as subscriber to upload arbitrary files to the server, leading to RCE...

CVE-2024-2299

A stored Cross-Site Scripting XSS vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malicious HTML files containing JavaScript code, which is...

CVE-2024-2288

A Cross-Site Request Forgery CSRF vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting versions up to 7.3.0. This vulnerability allows attackers to change a victim's profile picture without thei...

CVE-2025-14642 code-projects Computer Laboratory System technical_staff_pic.php unrestricted upload

A vulnerability has been found in code-projects Computer Laboratory System 1.0. Impacted is an unknown function of the file technicalstaffpic.php. Such manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the publi...

PT-2025-48419

Name of the Vulnerable Software and Affected Versions moxi159753 Mogu Blog versions up to 5.2 Description A security issue exists in moxi159753 Mogu Blog v2. The LocalFileServiceImpl.uploadPictureByUrl function, located in the /file/uploadPicsByUrl file, is susceptible to server-side request...

CVE-2025-62364

text-generation-webui is an open-source web interface for running Large Language Models. In versions through 3.13, a Local File Inclusion vulnerability exists in the character picture upload feature. An attacker can upload a text file containing a symbolic link to an arbitrary file path. When the...