11 matches found
EUVD-2026-40953
MCO is vulnerable to Stored Cross‑Site Scripting XSS via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened. Because vendor...
CVE-2026-46489 SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into eve...
CVE-2026-46489 SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into eve...
SolidInvoice 跨站脚本漏洞
SolidInvoice is an open-source invoice processing application developed by SolidInvoice. Versions of SolidInvoice prior to 2.3.17 contained a cross-site scripting vulnerability. This vulnerability stemmed from the company logo upload feature not verifying file types. As a result, authenticated...
CVE-2026-45627
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...
CVE-2023-31698
Bludit v3.14.1 is vulnerable to Stored Cross Site Scripting XSS via SVG file on site logo. NOTE: the product's security model is that users are trusted by the administrator to insert arbitrary content users cannot create their own accounts through self-registration...
CVE-2025-61999
OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view affected pages. Successful exploitation allows the administrative user to perfo...
CVE-2025-61999
CVE-2025-61999 affects OPEXUS FOIAXpress before 11.13.3.0. An administrative user can upload an SVG image (logo) containing JavaScript or other content, causing stored XSS when other users view affected pages. This can enable the admin to perform actions on behalf of target users, including steal...
EUVD-2022-31755
Malicious code in bioql PyPI...
CVE-2022-27246
An issue was discovered in MISP before 2.4.156. An SVG org logo which may contain JavaScript is not forbidden by default...
CVE-2022-27246
An issue was discovered in MISP before 2.4.156. An SVG org logo which may contain JavaScript is not forbidden by default...