Winter CMS has Stored Cross-site Scripting (XSS) in Asset Manager

Impact Affected versions of Winter CMS allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manageasset...

CVE-2025-64094

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Prior to 10.1.1, sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. This vulnerability exists because of an incomplete fix for CVE-2025-48378. This...

EUVD-2023-58772

Malicious code in bioql PyPI...

PT-2025-32424

Name of the Vulnerable Software and Affected Versions Frappe Learning versions 2.33.0 and below Description Frappe Learning is a learning system designed to help users structure content. The image upload functionality did not properly sanitize uploaded SVG files, allowing users to upload files...

CVE-2024-4759 Mime Types Extended <= 0.11 - Author+ Stored XSS via SVG Upload

The Mime Types Extended WordPress plugin through 0.11 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads...

UBUNTU-CVE-2022-25277

Drupal core sanitizes filenames with dangerous extensions upon upload reference: SA-CORE-2020-012 and strips leading and trailing dots from filenames to prevent uploading server configuration files reference: SA-CORE-2019-010. However, the protections for these two vulnerabilities previously did...

CVE-2021-41372

A Cross-Site Scripting XSS and Cross-Site Request Forgery CSRF vulnerability exists when Power BI Report Server Template file pbix containing HTML files is uploaded to the server and HTML files are accessed directly by the victim. Combining these 2 vulnerabilities together, an attacker is able to...