CVE-2026-56394

Craft CMS 4.0.0-RC1 contains an authenticated path traversal in the assets/icon endpoint. The extension parameter is not validated before file-existence checks, allowing traversal sequences to resolve to existing SVG files and enabling local file read access. Root cause is improper validation of ...

CVE-2026-56394

Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files,...

EUVD-2026-38160

Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files,...

CVE-2026-54394

The CVE-2026-54394 entry describes a path traversal vulnerability in MISP's OrganisationsController::getOrgLogo. The vulnerable code constructs paths to organisation logos using fields like id, name, and uuid without enforcing that the resolved path stays under APP/files/img/orgs/. An attacker ab...

CVE-2026-25558

CVE-2026-25558 affects QloApps up to version 1.7.0. The issue is a stored cross-site scripting flaw in the admin file manager, permitting an authenticated administrator to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed event handlers (e.g., onload) in SVGs uploade...

CVE-2026-47119

Agent Zero before version 1.15 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript in the application origin by serving SVG files through the imageget API endpoint without Content-Security-Policy, X-Content-Type-Options, or Content-Dispositio...

CVE-2026-47119 Agent Zero < 1.15 Stored XSS via image_get API Endpoint

Agent Zero before version 1.15 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript in the application origin by serving SVG files through the imageget API endpoint without Content-Security-Policy, X-Content-Type-Options, or Content-Dispositio...

Agent Zero 跨站脚本漏洞

Agent Zero is an artificial intelligence framework developed by Jan Tomášek. Versions of Agent Zero prior to 1.15 contained a cross-site scripting vulnerability. This vulnerability stemmed from the lack of security headers when SVG files were provided through the imageget endpoint, which could le...

PT-2026-44006

Agent Zero before version 1.15 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript in the application origin by serving SVG files through the image get API endpoint without Content-Security-Policy, X-Content-Type-Options, or Content-Dispositi...

CVE-2021-47958

CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal service...

CVE-2026-44259 efw4.X: Stored XSS via previewServlet

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any content sanitization or security headers. Files with .html, .htm, or .svg extensions are served as text/html or image/svg+xml...

CVE-2026-44259

efw4.X: Stored XSS via previewServlet affects versions prior to 4.08.010. The previewServlet serves files by inferring MIME type from file extensions (e.g., .html, .htm -&gt; text/html; .svg -&gt; image/svg+xml) without sanitizing content or applying security headers. This can cause embedded Java...

UBUNTU-CVE-2025-14576

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of...

PT-2026-35746

Cross-Site Scripting XSS vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code...

DNN 安全漏洞

DNN also known as DotNetNuke is an open-source content management system CMS developed by the American company DNN, supported by Microsoft and based on the ASP.NET platform. This system features easy installation, scalability, and rich functionality. Versions of DNN prior to 10.2.2 contained...

CVE-2026-40262 Note Mark has Stored XSS via Unrestricted Asset Upload

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an...

Ech0 has Stored XSS via SVG Upload and Content-Type Validation Bypass in File Upload

Summary The file upload endpoint validates Content-Type using only the client-supplied multipart header, with no server-side content inspection or file extension validation. Combined with an unauthenticated static file server that determines Content-Type from file extension, this allows an admin ...

QuickDrop 跨站脚本漏洞

QuickDrop is a self-hosted anonymous file sharing application developed by Rostislav. It supports multipart uploads and encrypted storage. Versions of QuickDrop prior to 1.5.3 had a cross-site scripting vulnerability. This vulnerability stemmed from a storage-related cross-site scripting flaw in...

EUVD-2026-16666

The '/api/v1/files/images/flowid/filename' endpoint serves SVG files with the 'image/svg+xml' content type without sanitizing their content. Since SVG files can contain embedded JavaScript, an attacker can upload a malicious SVG that executes arbitrary JavaScript when viewed by other users, leadi...

CVE-2026-30974 Copyparty volflag `nohtml` did not block javascript in svg files

Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the...