Lucene search
K

8 matches found

RedhatCVE
RedhatCVE
added 2026/03/02 1:51 a.m.11 views

CVE-2026-28558

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the...

6.4CVSS5.8AI score0.00208EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/28 9:47 p.m.20 views

CVE-2026-28558 wpForo Forum 2.4.14 Stored XSS via SVG Avatar File Upload

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the...

6.4CVSS0.00208EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/28 12:0 a.m.7 views

PT-2026-22479

Name of the Vulnerable Software and Affected Versions wpForo Forum version 2.4.14 Description The software contains a stored cross-site scripting issue that permits authenticated subscribers to upload specially crafted SVG files as profile avatars. This is achieved through the avatar upload...

6.4CVSS5.9AI score0.00208EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2025/12/04 12:11 a.m.6 views

CVE-2025-65267

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting XSS. Successful...

9CVSS6.1AI score0.00296EPSS
Exploits0References1
EUVD
EUVD
added 2025/12/03 3:30 p.m.6 views

EUVD-2025-200968

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting XSS. Successful...

9CVSS5.6AI score0.00296EPSS
Exploits0References4
CNNVD
CNNVD
added 2025/12/03 12:0 a.m.6 views

ERPNext和Frappe Technologies Frappe Framework 安全漏洞

Frappe Technologies Frappe Framework is a metadata-driven full-stack web application framework based on Python and JavaScript from Frappe Technologies, India.ERPNext is a suite of open-source Enterprise Resource Planning ERP solution. A security vulnerability exists in ERPNext version v15.83.2 an...

9CVSS6AI score0.00296EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2025/12/03 12:0 a.m.3 views

CVE-2025-65267

In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting XSS. Successful...

5.7AI score0.00296EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/10/01 12:0 a.m.53 views

CVE-2025-56515

File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file content, allowing malicious SVG files with embedded foreignObject elements containing iframe tags and JavaScript event handlers onmouseover to be uploaded...

0.00481EPSS
Exploits1References3
Rows per page
Query Builder