CVE-2026-29183

SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoi...

CVE-2021-47783

Phpwcms 1.9.30 contains a file upload vulnerability that allows authenticated attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG payloads through the multiple file upload feature to potentially execute cross-site scripting attacks on the platform...

CVE-2026-0858

CVE-2026-0858 affects net.sourceforge.plantuml:plantuml prior to 1.2026.0, where GraphViz diagram attributes are not sufficiently sanitized, enabling Stored XSS that can inject JavaScript into generated SVG and lead to arbitrary script execution when rendered by applications. Connected sources co...

EUVD-2025-32301

Malicious code in bioql PyPI...

Grist 跨站脚本漏洞

Grist is a modern relational spreadsheet open-sourced by Grist. A cross-site scripting vulnerability exists in Grist versions prior to 1.3.2, which stems from a JavaScript in an SVG file that can be executed in the context of the user's current page, thereby compromising the account of a user who...

PT-2020-16209

Name of the Vulnerable Software and Affected Versions Tiny Tiny RSS versions prior to 2020-09-16 Description An issue was discovered in the cached url feature, which mishandles JavaScript inside an SVG document. This issue affects Tiny Tiny RSS. Recommendations For versions prior to 2020-09-16,...

CVE-2020-15006

Bludit 3.12.0 allows stored XSS via JavaScript code in an SVG document to bl-kernel/ajax/logo-upload.php...

CVE-2019-16126

Grav through 1.6.15 allows Stored Cross-Site Scripting due to JavaScript execution in SVG images...