Lucene search
K

11 matches found

EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40953

MCO is vulnerable to Stored Cross‑Site Scripting XSS via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened. Because vendor...

7.1CVSS5.8AI score0.00256EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/11 6:55 p.m.7 views

CVE-2026-46489 SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into eve...

8.1CVSS4.8AI score0.0031EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/11 6:55 p.m.29 views

CVE-2026-46489 SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into eve...

8.1CVSS0.0031EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.11 views

SolidInvoice 跨站脚本漏洞

SolidInvoice is an open-source invoice processing application developed by SolidInvoice. Versions of SolidInvoice prior to 2.3.17 contained a cross-site scripting vulnerability. This vulnerability stemmed from the company logo upload feature not verifying file types. As a result, authenticated...

8.1CVSS4.9AI score0.0031EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.9 views

CVE-2026-45627

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...

8.2CVSS5.4AI score0.00185EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 12:32 p.m.6 views

CVE-2023-31698

Bludit v3.14.1 is vulnerable to Stored Cross Site Scripting XSS via SVG file on site logo. NOTE: the product's security model is that users are trusted by the administrator to insert arbitrary content users cannot create their own accounts through self-registration...

5.4CVSS5.9AI score0.02586EPSS
Exploits4References1
OSV
OSV
added 2025/10/08 12:15 a.m.4 views

CVE-2025-61999

OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view affected pages. Successful exploitation allows the administrative user to perfo...

4.8CVSS5.8AI score0.00225EPSS
Exploits0References3
CVE
CVE
added 2025/10/07 11:14 p.m.20 views

CVE-2025-61999

CVE-2025-61999 affects OPEXUS FOIAXpress before 11.13.3.0. An administrative user can upload an SVG image (logo) containing JavaScript or other content, causing stored XSS when other users view affected pages. This can enable the admin to perform actions on behalf of target users, including steal...

4.8CVSS6.4AI score0.00225EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2022-31755

Malicious code in bioql PyPI...

6.1CVSS6.4AI score0.00573EPSS
Exploits0References1
OSV
OSV
added 2022/03/18 6:15 p.m.9 views

CVE-2022-27246

An issue was discovered in MISP before 2.4.156. An SVG org logo which may contain JavaScript is not forbidden by default...

6.1CVSS6.8AI score
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2022/03/18 6:15 p.m.4 views

CVE-2022-27246

An issue was discovered in MISP before 2.4.156. An SVG org logo which may contain JavaScript is not forbidden by default...

6.1CVSS5.9AI score0.00573EPSS
Exploits0References2
Rows per page
Query Builder